Peter,
Attached is a modification I made to Mozilla that allows you to edit cookies
that your browser picks up, including session cookies. I have compiled and
tested this under Windows and Linux using the Mozilla 0.9.2 (it may work
with newer versions, but this is untested) source code tree. Its a pain to
compile under Win32, so I suggest using it in Linux. To use, just apply the
patch to the source code with:
patch -p0 < (source to diff)/mozilla-cookie-edit.diff
User the following procedure to edit cookies:
Click edit->prefences. Open the privacy and security twistie, and click on
cookies. Click view stored cookies to open the cookie manager. From there,
you can view any cookie (as you could always), and change the value by
editing the value in the box and clicking "set cookie".
I've used this in web application security assesments, and have successfully
hijacked other users sessions this way. Of course you have to guess the
session id (if that's all thats used), but considering the predictability of
the session IDs generated by an unpatched WebShere application server, this
could drive a good point home.
There is only caveat, when you modify a cookie, the value is not stored in
the array used for the cookie manager (this is used for display only). If
you click another cookie, then come back to the one you have edited, it
appears as though the change never occured (even though the value of the
cookie in memory). It will be modified if you close the cookie manager and
open it back up. This was intentional, since I use this as a way to revert
the cookie to its original value, in case I click on the wrong one, or made
a mistake ;)
Regards,
Steve
>Does anyone know of a piece of software that can be used for viewing >and
>manipulating the data inside of a cookie?
>Peter Holland
>Available Mortgage Funding
>Dallas, Texas
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Received on Oct 02 2001
Intro
