Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

In this lesson, participants receive step by step instructions in cookie manipulation. Using an add-on to Firefox, participants learn how to manipulate cookies using Burp Suite which assigns a cookie.

Video Transcription

00:04
Hello and welcome to these Cyberia secure coding course. My name is Sonny Wear, and this is the OAS top 10 for 2013 a two broken authentication in session management demo cookie manipulation.
00:20
This is the demo for cooking manipulation. So the first thing we're going to do is make sure we're not logged into the application. We can use an add on to fire Fox called cooking Manager to display any cookies that are currently in our browser.
00:38
Now, we don't have any right now, so this is good. We have a clean start.
00:43
I'm gonna go ahead and log into the application
00:47
with my account
00:51
actually going to turn on burp sweet.
00:59
And when I take a look at burp sweet, I'm gonna go ahead and forward this
01:07
so that my cookie gets assigned.
01:11
And one thing that you'll note is we've got a cookie that's been set for the session. That's
01:19
the cookie right there.
01:22
And then we also have a cookie for you. I d which is a number.
01:27
So if we take a look at that
01:32
in the cookie manager,
01:34
we can see the four cookies here. So
01:40
that was theseventies I d. That we saw in birth. Sweet,
01:45
but of note Is this you? I d So it looks like the u I. D for my account is the number 24.
01:53
Okay, so what we want to do is we want to see if the application code actually assigns a unique
02:04
a random, securely random number for this you i d and how we conduce. That
02:10
is we could actually edit this.
02:15
Let's change it to 12.
02:23
Refresh the page.
02:25
Okay.
02:27
And so we actually changed two completely different user.
02:32
So that lets me know that the application code doesn't have any kind of random primary key that's being used there, just incrementally creating the number and ah, and assigning it to every new user.
02:51
So if I wanted to
02:53
elevate my privileges, I could probably guess that the first accounts ever created in this application were
03:00
route or admin or something like that. And so the numbers probably gonna be very low. So why don't we try
03:13
instead
03:15
the number one
03:23
And sure enough, we are now admin.
03:28
So the problem here, of course, is that when setting your cookies when setting unique, identify IRS for your clients,
03:38
you must make sure that those cookies are not predictable.
03:44
You need to have them securely randomly generated either from a random generator, a random number generator or from a database.

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor