Test cookie poisoning

Web site cookie poisoning came up twice in the last week while testing so I guess
now is great time to talk about how to test the for the vulnerability of cookie poisoning.
I'm not going to get into the details of how a cookie works but rather how to poison
them. If you want details of how they work from a testing point of view read this respectable
paper
.

Web sites use cookies (a lot of them), cookies can be permanent (on disk) or
temporary (in memory), and cookies contain variables; variables that the site cares
about, and can be messed with or "poisoned" to get results that the Web site didn't
intend to give you. Use the following test
page as an example
, The test pages are simple, if you have the right cookie content then
you will receive a 50% discount; if the content isn't right then you will not receive
the 50% discount. The first page sets the cookie with the content of "SpecialOffer=No"
indicating that you are not eligible by default. The cookie setting code on this page
is simple and looks like this:

<SCRIPT>
document.cookie = "SpecialOffer=No";
</SCRIPT>

Now, if you click the link "Click here to see if you are eligible for 50% discount"
you'll see that you are not eligible for the discount. The check on the 2nd page is
pretty simple too and looks like this:

<SCRIPT>
var pos = document.cookie.indexOf( "SpecialOffer=Yes"
);
if( pos == -1 ) {
document.write("I'm sorry you are NOT eligible for the 50% discount");
}
else {
document.write("You are eligible for the 50% discount");
}
</SCRIPT>

In the above script I look for the value of "SpecialOffer=Yes" in the cookie content and
then react accordingly. If I don't see "SpecialOffer=Yes" then you aren't
eligible for the discount. Now, on to the fun stuff! How do you make yourself eligible
for the discount? To do this we need to change the default cookie content value from "SpecialOffer=No" to
"SpecialOffer=Yes". How does one change cookie values? There are quite a
few ways but I'll share with you my 3 favorites:

  1. Add N Edit Cookies FireFox
    extension

  2. Paros Proxy

  3. Paste the following JavaScript in the URL bar to view the cookies:
    javascript:alert(document.cookie.split(';').join('\n'))

    and the following to modify it:

    javascript:alert(window.c=function a(n,v,nv) {c=document.cookie;c=c.substring(c.indexOf(n)
    +n.length,c.length);c=c.substring(1,((c.indexOf(";")>-1) ?   c.indexOf(";")
    : c.length));nc=unescape(c).replace  (v,nv);document.cookie=n+"="+escape(nc);return
    unescape  (document.cookie);});alert(c(prompt("cookie name:",""), prompt("replace
    this value:",""),prompt("with::","")));

How to poison cookies with Add N Edit Cookies

  1. Navigate to http://www.qainsight.net/examples/cookietest.htm in
    FireFox

  2. Click the cookie icon in your FireFox toolbar

  3. Find the cookie for www.QAInsight.net and double click it or highlight it and press
    the edit button

  4. Change the content form field from "No" to "Yes" (case sensitive)

  5. Go back to the browser and click the link "Click here to see if you are eligible for
    50% discount"

  6. KaaaaPOW.... You now have the 50% discount! You're a freakin' evil, bad to the bone
    tester!

How to poison cookies with Paros Proxy

Typically I wouldn't use Paros in this situation because the cookie is being
set on the client side (you won't see this too much in the real world). The following
example isn't what I consider cookie poisoning but more JavaScript manipulation. The
following assumes you have cleared your cache:

  1. Turn on Paros and set you IE connection options to use the address of 127.0.0.1 with
    a port of 8080

  2. In Paros click the "Trap" tab and check the "Trap Request" and "Trap Response" checkboxes

  3. Navigate to http://www.qainsight.net/examples/cookietest.htm in
    IE

  4. Go back to Paros (Trap tab) and press the "continue" button until you see the following
    text in the bottom pane:
    <SCRIPT>
    document.cookie = "SpecialOffer=No";
    </SCRIPT>

  5. Change the "No" to "Yes" in the above line

  6. Click the "Continue" button.

  7. Go back to IE and click the link "Click here to see if you are eligible for 50% discount"

  8. Whoot! You now have the 50% discount! You're one sexy cool tester with a severity
    1 defect that needs to be submitted.

    There are situations where you will want to change the cookie value in the header
    (the top pane in the trap tab) on the response or the request, this is when you would
    use Paros over Add n Edit Cookies. Situations where you would need to manipulate the
    cookie before the response is rendered or before the request is sent due to the server
    or client side code manipulating the cookie.

How to poison cookies with JavaScript

  1. Navigate to http://www.qainsight.net/examples/cookietest.htm in
    IE

  2. To view the set cookie, type the following in the URL bar:
    javascript:alert(document.cookie.split(';').join('\n'))

  3. You will see "SpecialOffer=No". Click Ok

  4. Copy and paste the following JavaScript in the browser URL bar:
    javascript:alert(window.c=function a(n,v,nv) {c=document.cookie;c=c.substring(c.indexOf(n)
    +n.length,c.length);c= c.substring(1,((c.indexOf(";")>-1) ?  c.indexOf(";")
    : c.length)); nc=unescape(c).replace(v,nv); document.cookie= n+"="+escape(nc);return
    unescape(document.cookie);}); alert(c(prompt("cookie name:",""), prompt("replace this
    value:",""), prompt("with::","")));

  5. Hit the enter key

  6. Click the Ok button at the JavaScript Alert

  7. Type the cookie name of SpecialOffer in the Alert box and click the Ok button

  8. At the "replace this value" script prompt type No and press the Ok button

  9. At the "with:" script prompt type Yes (case sensitive) and press the Ok button

  10. The next alert will show you the replaced cookie. You should see: SpecialOffer=Yes

  11. Click the Ok button

  12. In IE click the link "Click here to see if you are eligible for 50% discount"

  13. DingDingDingDing.... You're a winner! You now have the 50% discount! You're quite
    the bad-ass tester aren't you? You're like the wicked witch in Snow White but instead
    of poisoning apples you poison cookies.

And that's how I conduct cookie poisoning when testing. Not too awful tough eh? Oh...if
I ever get confused about the state of cookies before and after poisoning I use HTTPWatch to
get a better idea of what is going on. I can usually get the gist of it by looking
through the cookie and header tabs.

When do you test for the cookie poisoning vulnerability you ask? Whenever there is
a cookie being used! Is it a defect if you can manipulate the cookie? Not necessarily.
They typically are defects when a cookie is being placed that impacts or restricts
the site's behavior and you can exploit that feature. If you manipulate a cookie and
it doesn't gain you anything or exploit a feature then it's not of much value, thus
not a defect. But...it's important that you know what the cookie you are poisoning
does, without knowing what the cookie does you may be poisoning something and may
not be seeing that exploit. To prevent guess-work it's easiest if you work with your
developer to understand what he/she is doing with cookies on the site so you can go
straight for the kill.

Happy poisoning!