.png)
1 year ago
106 BOOK THIS SPACE FOR AD
ARTICLE ADExamining and editing the cookies set by the web server during your online session can have multiple outcomes, such as unauthenticated access, access to another user’s account, or elevated privileges.
The contents of some cookies can be in plain text, and it is obvious what they do. Take, for example, if these were the cookie set after a successful login:
Set-Cookie: logged_in=true; Max-Age=3600; Path=/
Set-Cookie: admin=false; Max-Age=3600; Path=/
We see one cookie (logged_in), which appears to control whether the user is currently logged in or not, and another (admin), which controls whether the visitor has admin privileges. Using this logic, if we were to change the contents of the cookies and make a request we’ll be able to change our privileges.
First, we’ll start just by requesting the target page:
curl http://test_ip/cookie-test
We can see we are returned a message of: Not Logged In
Now we’ll send another request with the logged_in cookie set to true and the admin cookie set to false:
curl -H “Cookie: logged_in=true; admin=false” http://test_ip/cookie-test
We are given the message: Logged In As A User
Finally, we’ll send one last request setting both the logged_in and admin cookie to true:
curl -H “Cookie: logged_in=true; admin=true” http://test_ip/cookie-test
This returns the result: Logged In As An Admin as well as a flag which you can use to answer question one.
Sometimes cookie values can look like a long string of random characters; these are called hashes which are an irreversible representation of the original text. Here are some examples that you may come across:
md5 — → c4ca4238a0b923820dcc509a6f75849b
sha-256 — →6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
sha-512 —>4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
sha1 — ->356a192b7913b04c54574d18c28d46e6395428ab
You can see from the above table that the hash output from the same input string can significantly differ depending on the hash method in use. Even though the hash is irreversible, the same output is produced every time, which is helpful for us as services such as https://crackstation.net/ keep databases of billions of hashes and their original strings.
Encoding is similar to hashing in that it creates what would seem to be a random string of text, but in fact, the encoding is reversible. So it begs the question, what is the point in encoding? Encoding allows us to convert binary data into human-readable text that can be easily and safely transmitted over mediums that only support plain text ASCII characters.
Common encoding types are base32 which converts binary data to the characters A-Z and 2–7, and base64 which converts using the characters a-z, A-Z, 0–9,+, / and the equals sign for padding.
Take the below data as an example which is set by the web server upon logging in:
Set-Cookie: session=eyJpZCI6MSwiYWRtaW4iOmZhbHNlfQ==; Max-Age=3600; Path=/
This string base64 decoded has the value of {“id”:1,”admin”: false} we can then encode this back to base64 encoded again but instead setting the admin value to true, which now gives us admin access.
Bengali (Bangladesh) · 
English (United States) ·