Menu
Home
Log in / Register
 
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

7.5 Referer Spoofing

An interesting header of HTTP that a browser sends with every request is the referer. It contains the URL this request is originating from. Some web applications use it as a security feature to figure out if the request comes from an internal network and concludes that the user must therefore be logged in.

That's a really bad idea as the referer header can freely be manipulated as the next examples shows.

1 #!/usr/bin/python

2

3 import sys

4 import httplib2

5

6 if len(sys.argv) < 2:

7 print sys.argv[0] + ": <url>"

8 sys.exit(1)

9

10 headers = {'Referer': 'peter-lustig.com'}

11 webclient = httplib2.Http()

12 response, content = webclient.request(sys.argv[1],

13 'GET',

14 headers=headers)

15 print content

We write the header data we are going to send into a dictionary, which the request method takes as an argument. Therefore it is not important if the keys of the dictionary are valid HTTP header or total crap.

7.6 The Manipulation of Cookies

HTTP is a stateless protocol. As mentioned before, every request sent by a client is completely independent from other requests. They don't knows anything about other requests. By using several tricks web developers are able to circumvent the stateless property of HTTP by pinning hopefully individual and hard-to-guess numbers to their visitors, the so called session Id. This is sent with every request to identify a client and as the name implies should be valid for one session and deleted after a logout process. There are several known cases where such a number gets saved into a cookie. The complete cookie data gets sent with every request belonging to the domain or host the cookie was generated from. Sometimes, and nowadays more often, cookies are used to track a user by implementing them in advertisements that are displayed on various sites, such as Google Ads, to analyze the users consumer behavior. That's why cookies don't have a good reputation, but they can be and get used in many other ways. For example in frameworks to handle authentication by including the session Id, a logged in flag or even a username and password in cleartext.

Whatever is saved in your cookies and how good a web developer tries to protect its application against keen attacks, like SQL or even command injection (more about this later), cookies often get overlooked. This is because they seem to act invisibly in the background. One does not expect them to get manipulated like HTTP headers, which makes them even more attractive. So let us write a cookie manipulator!

1 #!/usr/bin/python

2

3 import sys

4 import httplib2

5

6 if len(sys.argv) < 3:

7 print sys.argv[0] + ": <url> <key> <value>"

8 sys.exit(1)

9

10 webclient = httplib2.Http()

11 headers = {'Cookie': sys.argv[2] + '=' + sys.argv[3]}

12 response, content = webclient.request(sys.argv[1],

13 'GET',

14 headers=headers)

15 print content

Cookies are sent with the help of the Cookie headers and consist of key/value pairs separated by a semicolon. The server uses the Set-Cookie header to ask the client to save a cookie.

Each cookie has a life time. Some are only valid for the current session and some until a specific time unit like 1 day. If you stumble over the magic word secure while reading your cookie data this means that the cookie should only be send over HTTPS connections. This does not make it any more secure against cookie manipulation. In the tools section at the end of the chapter you can find a program for stealing standard HTTPS cookies.

Completely deactivating cookies could lead to some web sites being unusable, therefore it is better to install a browser plugin that can selectively allow cookies. A solution for Firefox is Cookie Monster. You can find it under the following URL: ampsoft.net/utilities/CookieMonster.php.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel