Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Re: Unable to impersonate another user although having its cookie
From: Christopher Firth <lists () 100mb com au>
Date: Wed, 1 Jul 2009 23:29:09 +0800
Jay,
From re-reading Juan's message, it sounds like he's actually logging in to the application once in a browser and then making the request that the first browser would normally do in the second browser, with the cookie from the first browser. In -theory- this shouldn't lock out that session as there is only the 1 log in (which doesn't actually happen with this specific application due to the user agent). 

Chris


On 01/07/2009, at 11:02 PM, jay.tomas () infosecguru com wrote:
If I understand the issue correctly you login successfully and get a cookie. You then try and login a second time with another browser trying to impersonate the first authenticated user. However, the first session then gets logged out. To me this would be expected if the app is designed correctly. I would think you would only want 1 valid login at a time, and if another one is used it would invalidate the other. 

-Jay


Quoting pUm <hijacka () googlemail com>:


just a gues,
but try to fake the user agent. something in the http header must be
part of the cookie auth. so try them all and then reduce. My guess is
that it is the user-agent

2009/7/1 Juan Kinunt <kinunt () gmail com>:

Hi,
I'm auditing a web application programmed in CakePHP and I'm having a problem. 
I'm almost sure the authentication mechanism is carried by a cookie
but I'm unable to impersonate another user using its cookie.
The probe I do is opening two sessions with two different users (one
in internet explorer and one in firefox). Then I copy the cookie
belonging to one user and substitute it in a request done by the other 
user (using WebScarab). The app throws and error and disconnects the
validated and legal user.
I think that some info is stored in server side about the client who
owns each cookie.

Is this possible? Is it the normal operation in sessions in CakePHP?

Any info or pointer would be very useful.

Thanks.











----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]