EvilZone

Hacking and Security => Hacking and Security => : 20141018 October 18, 2014, 11:14:16 PM

: Query about cookie security and website hacking
: 20141018 October 18, 2014, 11:14:16 PM

I have a simple login page on a classic asp page.

It takes the username field from a form ("un") and the password ("pw") and does the following with them:

:

<%
un = newstr(request.form("un"))
pw = newstr(request.form("pw"))

SQL = "SELECT * from my_table WHERE un = '"&un&"' AND pw = '"&pw&"'"
set cRS = oConn.Execute(SQL)

if cRS.EOF then
%>
<p>Unable to log you in. Please <a href="default.asp">try logging in again</a>.</p>
<%
elseif NOT cRS.EOF then

Response.Cookies("test") = "jeQmV4'QG)Eu'N-XSTC;pZeuwqUsjBdVv>Sqr!]ZhzB{dJ'p-#cYSdwY" Response.Cookies("test").Expires = Date() + 365
response.redirect "main.asp"

end if
%>

Then I have some simple validation at the top of each page whose contain I only want logged in users to be able to see, which does this:

 

:

<%
test = Request.Cookies("test")

if test = "" OR test <> "jeQmV4'QG)Eu'N-XSTC;pZeuwqUsjBdVv>Sqr!]ZhzB{dJ'p-#cYSdwY" then response.redirect("default.asp")
%>
I wanted to check - is that naively simple?

Could someone easily hack into my site, by e.g. setting a cookie on their computer, called "test" and whose value = "jeQmV4'QG)Eu'N-XSTC;pZeuwqUsjBdVv>Sqr!]ZhzB{dJ'p-#cYSdwY"?

Or wouldn't it be pretty unlikely someone would guess that string value of "jeQmV4'QG)Eu'N-XSTC;pZeuwqUsjBdVv>Sqr!]ZhzB{dJ'p-#cYSdwY"?

According to this:
http://stackoverflow.com/questions/26430061/classic-asp-cookie-vulnerability (http://stackoverflow.com/questions/26430061/classic-asp-cookie-vulnerability)

It is totally rubbish.

However, how could a hacker hack into my site? Leaving aside the paramaterised input issue, which is a separate issue, why is the cookie method so risky?

Because wouldn't the hacker have to guess that the string value of "jeQmV4'QG)Eu'N-XSTC;pZeuwqUsjBdVv>Sqr!]ZhzB{dJ'p-#cYSdwY" to get in, or can they use snooping tools like wireshark to intercept a user logging into the site?

Wouldn't they still have to be in the right place at the right time to accidentally come across someone trying to log in in the first place in order to get this info? Otherwise, how would they know what to look for, if no activity was going on?

Any advice much appreciated.

Thanks

: Re: Query about cookie security and website hacking
: subsoulreaper October 22, 2014, 09:12:40 AM

to answer your question simply yes if they used wireshark they would gain access to your site in a matter of seconds, its as easy as copying and pasting the cookies in firefox/chrome/etc..

(https://static-frm-eu.wargaming.net/wotb/ru/tmp/photo-475-5332c0f4.gif?_r=1395835124)(https://static-frm-eu.wargaming.net/wotb/ru/tmp/photo-475-5332c0f4.gif?_r=1395835124)(https://static-frm-eu.wargaming.net/wotb/ru/tmp/photo-475-5332c0f4.gif?_r=1395835124)

: Re: Query about cookie security and website hacking
: Nortcele October 22, 2014, 10:16:57 AM

If you used a HTTPS connection then cookie grabbing in this sense isn't really possible.

: Re: Query about cookie security and website hacking
: 2d8 October 22, 2014, 10:30:32 AM

Security by obscurity is always a bad choice. Using this cookie is quite the same, as hardcoded passwords, keys etc. But without HTTPS you will transfer it in celartext with each request of authenticated user.
Also there is bunch of attack vectors even with HTTPS, e.g. you are also vulnerable to XSS and didn't set Secure and Httponly flags to this Cookie.
Btw, parameterized querie issue (under certain conditions) may allow attacker to access your source code and simply read this cookie.