Part 3 CookieManipulation Demo
Video Activity
In this lesson, participants receive step by step instructions in cookie manipulation. Using an add-on to Firefox, participants learn how to manipulate cookies using Burp Suite which assigns a cookie.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
In this lesson, participants receive step by step instructions in cookie manipulation. Using an add-on to Firefox, participants learn how to manipulate cookies using Burp Suite which assigns a cookie.
Video Transcription
00:04
Hello and welcome to these Cyberia secure coding course. My name is Sonny Wear, and this is the OAS top 10 for 2013 a two broken authentication in session management demo cookie manipulation.
00:20
This is the demo for cooking manipulation. So the first thing we're going to do is make sure we're not logged into the application. We can use an add on to fire Fox called cooking Manager to display any cookies that are currently in our browser.
00:38
Now, we don't have any right now, so this is good. We have a clean start.
00:43
I'm gonna go ahead and log into the application
00:47
with my account
00:51
actually going to turn on burp sweet.
00:59
And when I take a look at burp sweet, I'm gonna go ahead and forward this
01:07
so that my cookie gets assigned.
01:11
And one thing that you'll note is we've got a cookie that's been set for the session. That's
01:19
the cookie right there.
01:22
And then we also have a cookie for you. I d which is a number.
01:27
So if we take a look at that
01:32
in the cookie manager,
01:34
we can see the four cookies here. So
01:40
that was theseventies I d. That we saw in birth. Sweet,
01:45
but of note Is this you? I d So it looks like the u I. D for my account is the number 24.
01:53
Okay, so what we want to do is we want to see if the application code actually assigns a unique
02:04
a random, securely random number for this you i d and how we conduce. That
02:10
is we could actually edit this.
02:15
Let's change it to 12.
02:23
Refresh the page.
02:25
Okay.
02:27
And so we actually changed two completely different user.
02:32
So that lets me know that the application code doesn't have any kind of random primary key that's being used there, just incrementally creating the number and ah, and assigning it to every new user.
02:51
So if I wanted to
02:53
elevate my privileges, I could probably guess that the first accounts ever created in this application were
03:00
route or admin or something like that. And so the numbers probably gonna be very low. So why don't we try
03:13
instead
03:15
the number one
03:23
And sure enough, we are now admin.
03:28
So the problem here, of course, is that when setting your cookies when setting unique, identify IRS for your clients,
03:38
you must make sure that those cookies are not predictable.
03:44
You need to have them securely randomly generated either from a random generator, a random number generator or from a database.
Up Next
Instructed By
Similar Content
