1
00:00:01,370 --> 00:00:08,190
In this lecture we're going to learn how to bypass other authentication by manipulating cookie values.

2
00:00:09,420 --> 00:00:14,820
Now this doesn't always happen and it's not always possible but it's possible when the session management

3
00:00:14,880 --> 00:00:18,590
is programmed in a way that can easily be bypassed.

4
00:00:18,630 --> 00:00:21,550
And I'll talk more about that once we actually do the attack.

5
00:00:21,870 --> 00:00:27,690
But before we do anything we need to have a plugin that allow us to modify our cookies.

6
00:00:27,690 --> 00:00:34,800
So the first thing that I'm going to do is go on google and look for Kuki editor

7
00:00:37,240 --> 00:00:45,080
Firefox and I'm going to download cookie Manager Plus all they have to do is just click on the link

8
00:00:45,830 --> 00:00:51,730
to Firefox and install and it's going to ask you to restart.

9
00:00:51,730 --> 00:00:52,970
So I'm going to restart it.

10
00:00:55,670 --> 00:00:57,380
And it should be installed now.

11
00:00:58,170 --> 00:01:04,240
Now the cookies are used to authenticate users after they log in.

12
00:01:04,240 --> 00:01:11,090
So for example once you go in here and log in I've already created an account on this.

13
00:01:11,120 --> 00:01:16,790
You can create one by just clicking on the register here and they can that I created the username zayd

14
00:01:18,180 --> 00:01:22,490
and the password is 1 2 3 4 5 6.

15
00:01:22,500 --> 00:01:28,050
Now once I log in here you'll notice that every time I go to a different page I don't have to log in

16
00:01:28,050 --> 00:01:34,380
again so every time I just browse through this Web site you'll see that I don't get presented to log

17
00:01:34,380 --> 00:01:38,740
in again and everywhere I go it knows that I'm logged in as zayd.

18
00:01:38,850 --> 00:01:41,720
Now this is possible based on cookies.

19
00:01:41,730 --> 00:01:48,480
So every time I go to this website or to these pages they know that Zayd is trying to get in here because

20
00:01:48,480 --> 00:01:51,150
the cookies are stored in my browser.

21
00:01:51,270 --> 00:01:57,550
And every time I request something from this website the cookies are sent to that web page and still

22
00:01:57,550 --> 00:02:03,560
an ad that Zayd has already authenticated himself and he is just trying to display this Web site.

23
00:02:03,960 --> 00:02:09,660
So even if I close this so I'm just going to close all day and just get back to it again.

24
00:02:15,030 --> 00:02:21,750
You'll see that I'm still logged in as Zahed no cookies have a date of expiry and they'll expire after

25
00:02:21,750 --> 00:02:23,810
a while.

26
00:02:23,870 --> 00:02:29,220
Sometimes the cookies are configured in a way that they can be easily manipulated.

27
00:02:29,540 --> 00:02:32,240
So let's have a look on the cookies for this website.

28
00:02:32,240 --> 00:02:38,990
Now if we go I'm going to click on Allt to display the menus here and I'm going to go on tools.

29
00:02:39,020 --> 00:02:46,370
Cookie manager applause and I'm going to search for the name of the website which is 10:22 11:46 and

30
00:02:46,370 --> 00:02:49,500
that will display all the cookies that have been sent.

31
00:02:49,760 --> 00:02:57,150
So you can see that the PH VSS ID and all these cookies you can see that there's two interesting cookies

32
00:02:57,150 --> 00:03:04,160
one of them is called username and the other one is called user ID or you I.D..

33
00:03:04,230 --> 00:03:11,200
So this is really interesting and if we click on edit you'll see that we have the name with the cookie

34
00:03:11,200 --> 00:03:16,400
is you I.D. or user ID and the content is 17.

35
00:03:16,550 --> 00:03:24,530
So you can try to guess that means that this cookie is telling this page that the user id of the person

36
00:03:24,530 --> 00:03:27,200
who is trying to visit this page is 17.

37
00:03:27,200 --> 00:03:34,200
So we can guess that the user id for Zayde for the user that I just created is 17.

38
00:03:34,240 --> 00:03:40,010
So what we can do is we can try to modify this to a different value and see what happens.

39
00:03:40,150 --> 00:03:47,370
And often as many users are created first at every Web site so we can try to go for one.

40
00:03:47,380 --> 00:03:50,740
So I'm just going to delete the seven and I'm going to keep it as one.

41
00:03:51,010 --> 00:03:53,150
And then we're going to save the cookies like this.

42
00:03:54,680 --> 00:04:01,290
I'm going to close that and then I'm just going to refresh the page.

43
00:04:01,390 --> 00:04:07,330
Now you can see that I've actually logged in as admin and I can browse the web site and do anything

44
00:04:07,600 --> 00:04:09,540
that the Adnan's are allowed to do.

45
00:04:09,770 --> 00:04:17,580
And we to do this very simply by modifying our cookies and changing our user ID to user ID number one.

46
00:04:17,590 --> 00:04:25,960
So this was possible because the cookies that are used are very simple now cookies should be more complicated

47
00:04:26,230 --> 00:04:34,450
so that they should actually use what's known as session IDs or tokens these tokens should be very complicated

48
00:04:34,750 --> 00:04:37,730
and not relate to the user ID.

49
00:04:37,750 --> 00:04:43,450
That way I wouldn't be able to know what the user ID even if I know that the admin has a user id of

50
00:04:43,450 --> 00:04:43,920
one.

51
00:04:44,020 --> 00:04:48,190
I wouldn't be able to know what token that admin is using.

52
00:04:48,250 --> 00:04:55,120
So they should be dynamically generated based on each user and they should vary from time to time.

53
00:04:55,120 --> 00:05:01,960
So even for the same user every time he logs in they should get different token randomly based on some

54
00:05:01,960 --> 00:05:09,570
parameters so that it's very difficult for anybody to know what tokin each user gets.

55
00:05:09,610 --> 00:05:16,510
Otherwise it will be very easily for people to guess what can the admiral or any other user has and

56
00:05:16,570 --> 00:05:18,610
just injected into their browser.

57
00:05:19,000 --> 00:05:25,450
Now using complicated tokens and session IDs is still vulnerable for a man in the middle attacks and

58
00:05:25,450 --> 00:05:31,420
we've seen that in plugins like fire sheep and in programs like ferret and Hamster where I actually

59
00:05:31,420 --> 00:05:37,120
explained that in my network penetration testing course where you could gain access to any user account

60
00:05:37,420 --> 00:05:40,510
as long as the people are on the same network as you.

61
00:05:40,510 --> 00:05:46,030
So even if the token is really complicated you'll be able to capture that token and then inject it into

62
00:05:46,030 --> 00:05:46,660
the browser.

63
00:05:46,780 --> 00:05:51,670
But the main idea is the Web site is not vulnerable because you can't guess it yourself.

64
00:05:51,720 --> 00:05:57,760
You have to actually capture that token from another person and then injected whereas in here we were

65
00:05:57,790 --> 00:06:03,600
able to just know or guess that the admin has an idea of one injected and then log in as admin.