WebApp Pentesting: Cookie Reuse







Hi there,

Happy Christmas to All the readers 

Today I am sharing about a new vulnerability which is can be exploited by reusing cookie.

There are many website which does not expire the old session id in order to verify the session.
So this can be exploited and can be used for full compromise of account.
Cookie maintains the session on a website after login website sent user cookie by which the can identify the session of the user on the website these cookie are saved on user machine.
So if they are saved on user machine they are already becomes vulnerable if a user copied and used them then this can lead to a full account takeover.

Now in order to maintain the session a website creates a unique session id in order to verify the user but some website forgots to add a expiration on these session ids.

How this can be exploited ?

Since cookie can be exploited using any XSS attack then cookies becomes vulnerable for more info on XSS read this post 
So You are only needed some tools to exploit it.
What you need a cookie editable tool and a web browser 
If You are using chrome then there is a very good extension in chrome used as EditTheCookie You can export and import cookie using it.


Exploiting 

  • Install EditThisCookie on chrome
  • Now Login to any website and export the cookie using this.
  • Now do Logout and paste the cookie in the import tab of the extension.
  • Reload the page if you get sign in then the cookie is not expiring if not then it expired.

Fix

In order to fix this websites should have to generate a random session id for the user when he logs in and should have to expire it as soon as users do a signout.
I will be discussing a very great fix of this in my future posts.

Till then stay tuned 
Suggestion are welcome 

Thanks 
Jitendra Singh (Team Computer Korner )

In guidance of Gurpreet Singh and Subir Sutradhar



Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!

0 comments: