Web App Security (webappsec) Mailing List

RE: Unable to impersonate another user although having its cookie

Wed, 1 Jul 2009 11:26:06 -0500

Posted by Hellman Matthew on Jul 1

>>The probe I do is opening two sessions with two different users (one
>>in internet explorer and one in firefox). Then I copy the cookie
>>belonging to one user and substitute it in a request done by the other
>>user (using WebScarab). The app throws and error and...

Re: Unable to impersonate another user although having its cookie

Wed, 1 Jul 2009 18:20:29 +0200

Posted by Heine Deelstra on Jul 1

CakePHP has open source, why not use it :)

http://api.cakephp.org/view_source/cake-session/#line-134 etc.
Received on Jul 01 2009

Re: Unable to impersonate another user although having its cookie

Wed, 01 Jul 2009 10:42:11 -0500

Posted by jay.tomas_at_infosecguru.com on Jul 01

I agree that best practices are not followed which is exactly why
there are plenty of nightmares to laugh at. My point was to look at
the least common denominator and say maybe this is working as
designed. cakephp is open source so it may be easier to just look at
the source and see...

Re: Unable to impersonate another user although having its cookie

Wed, 1 Jul 2009 23:29:09 +0800

Posted by Christopher Firth on Jul 1

Jay,

From re-reading Juan's message, it sounds like he's actually logging
in to the application once in a browser and then making the request
that the first browser would normally do in the second browser, with
the cookie from the first browser. In -theory- this shouldn't lock out...

Re: Unable to impersonate another user although having its cookie

Wed, 1 Jul 2009 23:39:50 +0900

Posted by S I on Jul 1

As pUm said:
My guess is that it is the user-agent

it may be the user agent. Instead of tryin g them all, I sugget you to
install the Firefox User-Agent Switcher addon
"https://addons.mozilla.org/en-US/firefox/addon/59

And select the IE one. Or simply change copy/paste the IE user agent...

Re: Unable to impersonate another user although having its cookie

Wed, 1 Jul 2009 16:50:53 +0200

Posted by Marc Ouwerkerk on Jul 1

pUm is right. You can download the code form Cake and see for
yourself. In cake\libs\session.php you will see the following check:
if ((Configure::read('Session.checkAgent') === false ||
$this->_userAgent == $this->read('Config.userAgent')) && $this->time
<=...

Re: Unable to impersonate another user although having its cookie

Wed, 1 Jul 2009 17:30:03 +0300

Posted by Irene Abezgauz on Jul 1

Juan,

A few questions to direct this -

1. are there any parameters in the request itself that are not the
cookie and can be suspected as client/session identifiers? (either in
the body of a POST or as part of the URL in a GET)?
2. are you trying to execute a similar request? is there a...

Re: Unable to impersonate another user although having its cookie

Wed, 01 Jul 2009 10:02:35 -0500

Posted by jay.tomas_at_infosecguru.com on Jul 01

If I understand the issue correctly you login successfully and get a
cookie. You then try and login a second time with another browser
trying to impersonate the first authenticated user. However, the first
session then gets logged out. To me this would be expected if the app
is...

Re: Unable to impersonate another user although having its cookie

Wed, 1 Jul 2009 09:42:21 -0500

Posted by Michael Yelland on Jul 1

Go dload sidejacking, it contains hampster and ferret

On Jul 1, 2009, at 9:36 AM, "Irene Abezgauz"
<irene.abezgauz_at_gmail.com> wrote:

> Juan,
>
> A few questions to direct this -
>
> 1. are there any parameters in the request itself that are not the
...

Re: Unable to impersonate another user although having its cookie

Wed, 1 Jul 2009 09:20:27 -0500

Posted by Brad Causey on Jul 1

Juan,

There is actually a relatively simple way to figure out what exactly
is causing the session stealing to fail.

Get a local proxy, such as WebScarab.
(http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) and
run it on the machine where the browsers are installed.
Configure...

Re: Unable to impersonate another user although having its cookie

Wed, 1 Jul 2009 15:00:49 +0100

Posted by pUm on Jul 1

just a gues,
but try to fake the user agent. something in the http header must be
part of the cookie auth. so try them all and then reduce. My guess is
that it is the user-agent

2009/7/1 Juan Kinunt <kinunt_at_gmail.com>:
> Hi,
>
> I'm auditing a web application...

RE: Unable to impersonate another user although having its cookie

Wed, 1 Jul 2009 14:34:38 +0100

Posted by Martin ONeal on Jul 1

> Is this possible?

Ja; possible. May be tagging agent, or source address, or maybe using
multiple cookies, or maybe session ID in javascript variable...

> Is it the normal operation
> in sessions in CakePHP?

No eye dear.

Martin...
Received on Jul 01 2009

Article: Setting the appropriate security defect handling expectations in development and QA

Mon, 15 Jun 2009 14:08:10 -0400 (EDT)

Posted by robert_at_webappsec.org on Jun 15

Greetings,

I have just published the following article on handling application security defects (vulnerabilities) in development
and QA.

"If you've worked in information security you've likely had to report a security defect to development in an effort to
remediate the issue. Depending...

XML visibility proxy

Thu, 11 Jun 2009 21:11:38 -0400

Posted by Scott Sanchez on Jun 11

Can anyone recommend an open source web proxy solution for getting
visibility in to an XML stream? e.g to sit in the DMZ and act as the
SSL end point for business partner connections... Giving me a hook to
suck out the data and log it, scan it, etc before opening another SSL
session...

[tool] dradis framework 2.2 released

Fri, 12 Jun 2009 00:28:26 +0100

Posted by etd on Jun 12

What is dradis?
---------------------------------------------------
- dradis is an open source tool for sharing information. Great to be
used during security engagements.
- It provides a centralized repository of information.
- Client/server architecture with a web interface

What is new?
...