I have been reading up on session fixing/hijacking recently, and understand the theory.
What I don't understand is how this would be exploited in practice. Would you have to tamper with your browser to make use of the stolen cookies? Append it to the URL and pass it to the web application?
Or would you write some sort of custom script to make use of this, and if so what would it do?
I'm not trying to ask for help with this or examples, but I am trying to learn more and understand. Any help is appreciated.
Forging a cookie is trivial. As mentioned by Klaus, you can do it right out of your browser.
Here's a practical example of how this could be exploited:
- You login to your banking site
- Banking site puts a session ID into a cookie, say 123456
- Your browser sends the session ID to the server on every request. The server looks at his session store and recognizes you as the user who logged in a little while ago
- I somehow gain access to your cookies, or I sniff one of your HTTP requests (impossible with SSL), and find out your session id: 123456
- I forge a cookie for your banking site, containing the session ID
- Banking site recognizes ME as you, still logged in
- I transfer all your funds to my secret account in Switzerland and buy a ridiculously large boat
Of course, in practice there will be more security on high profile sites (for instance, one could check that a session ID never transfers to another client IP address), but this is the gist of how session hijacking works.
If you use firefox there is a plugin called TamperData that lets you change the values of everything that is sent to a server. So if I could read your session cookie, I could basically just go to that site with my firefox and use tamperdata to send it your session cookie value instead of my own, thus hijacking your session.
/Klaus
The internet isn't a magical black box that can only be utilized by browsers in the way the site wants you to.
You can edit your cookies or POST data or GET session variables, or write a simple script to do it. In the end all you're doing is sending HTTP requests and substituting your session data with whatever you want.
Would you have to tamper with your browser to make use of the stolen cookies?
You could, but it would probably be easier just to type javascript:document.cookie='stolencookie=somevalue'
in the address bar whilst viewing a page from the target site.