Unable to impersonate another user although having its cookie

Hi,

I'm auditing a web application programmed in CakePHP and I'm having a problem.
I'm almost sure the authentication mechanism is carried by a cookie
but I'm unable to impersonate another user using its cookie.
The probe I do is opening two sessions with two different users (one
in internet explorer and one in firefox). Then I copy the cookie
belonging to one user and substitute it in a request done by the other
user (using WebScarab). The app throws and error and disconnects the
validated and legal user.
I think that some info is stored in server side about the client who
owns each cookie.

Is this possible? Is it the normal operation in sessions in CakePHP?

Any info or pointer would be very useful.

Thanks.

> Is this possible?

Ja; possible. May be tagging agent, or source address, or maybe using
multiple cookies, or maybe session ID in javascript variable...

> Is it the normal operation
> in sessions in CakePHP?

No eye dear.

Martin...

just a gues,
but try to fake the user agent. something in the http header must be
part of the cookie auth. so try them all and then reduce. My guess is
that it is the user-agent

2009/7/1 Juan Kinunt <kinunt@...>:

Juan,

There is actually a relatively simple way to figure out what exactly
is causing the session stealing to fail.

Get a local proxy, such as WebScarab.
(http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) and
run it on the machine where the browsers are installed.
Configure _both_ broswers to use the local proxy. (127.0.0.1:8080 for
example)  (http://dawes.za.net/rogan/webscarab/quickstart.php)

Use one browser to log in, and obvserve the first post-login request.
Use the second browser to try and put any differing values from the
first, into requests from the second. Viewing a diff of the two
requests will identify where the discrepancies are.

Hope this helps!

-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
Never underestimate the time, expense, and effort an opponent will
expend to break a code. (Robert Morris)
--


On Wed, Jul 1, 2009 at 9:00 AM, pUm <hijacka@...> wrote:

Juan,

A few questions to direct this -

1. are there any parameters in the request itself that are not the
cookie and can be suspected as client/session identifiers?  (either in
the body of a POST or as part of the URL in a GET)?
2. are you trying to execute a similar request? is there a chance you
are failing not due to the cookie but due to lack of other parameters
(such as an anti-csrf token)?
3. is it http or https traffic? I've encountered applications that
make the connection between the ssl session and the application
session.

each of the above can be a direction of why it's not working for you.
answering one or more of those can help direct to the problem.

Irene

On Wed, Jul 1, 2009 at 1:14 PM, Juan Kinunt <kinunt@...> wrote:

As pUm said:
My guess is that it is the user-agent

it may be the user agent. Instead of tryin g them all, I sugget you to
install the Firefox User-Agent Switcher addon
"https://addons.mozilla.org/en-US/firefox/addon/59

And select the IE one. Or simply change copy/paste the IE user agent
to your WebScarab intercepted request
emitted with Firefox (and vice-versa).

You may generalize this technique to a greater number of HTTP hea ders
in order to completely
masquerade the browser you are trying to impersonate.


cheers,

SI

On Wed, Jul 1, 2009 at 11:00 PM, pUm <hijacka@...> wrote:

Go dload sidejacking, it contains hampster and ferret

On Jul 1, 2009, at 9:36 AM, "Irene Abezgauz"  
<irene.abezgauz@...> wrote:
This message is intended only for the persons or entities to which it is addressed. The information transmitted herein may contain proprietary or
confidential material. Review, reproduction, retransmission, distribution, disclosure or other use, and any consequent action taken by persons or
entities other than intended recipients, are prohibited and may be unlawful. If you are not the intended recipient, please delete this information from
your system and contact the sender. The information contained herein is subject to change without notice. Although reasonable precautions have been
taken to ensure that no viruses are present, the sender makes no warranty or guaranty with respect thereto, and is not responsible for any loss or
damage arising from the receipt or use of this e-mail or attachments hereto.  This message is intended only for the persons or entities to which it is
addressed. The information transmitted herein may contain proprietary or confidential material. Review, reproduction, retransmission, distribution,
disclosure or other use, and any consequent action taken by persons or entities other than intended recipients, are prohibited and may be unlawful.
If you are not the intended recipient, please delete this information from your system and contact the sender. The information contained herein is
subject to change without notice. Although reasonable precautions have been taken to ensure that no viruses are present, the sender makes no warranty
or guaranty with respect thereto, and is not responsible for any loss or damage arising from the receipt or use of this e-mail or attachments hereto.

pUm is right. You can download the code form Cake and see for
yourself. In cake\libs\session.php you will see the following check:
if ((Configure::read('Session.checkAgent') === false ||
$this->_userAgent == $this->read('Config.userAgent')) && $this->time
<= $this->read('Config.time')) {

Hope this helps

Cheers,

Marc

On Wed, Jul 1, 2009 at 4:00 PM, pUm<hijacka@...> wrote:

If I understand the issue correctly you login successfully and get a  
cookie. You then try and login a second time with another browser  
trying to impersonate the first authenticated user. However, the first  
session then gets logged out. To me this would be expected if the app  
is designed correctly. I would think you would only want 1 valid login  
at a time, and if another one is used it would invalidate the other.

-Jay


Quoting pUm <hijacka@...>:



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Jay,

 From re-reading Juan's message, it sounds like he's actually logging  
in to the application once in a browser and then making the request  
that the first browser would normally do in the second browser, with  
the cookie from the first browser. In -theory- this shouldn't lock out  
that session as there is only the 1 log in (which doesn't actually  
happen with this specific application due to the user agent).

Chris


On 01/07/2009, at 11:02 PM, jay.tomas@... wrote:

I agree that best practices are not followed which is exactly why  
there are plenty of nightmares to laugh at. My point was to look at  
the least common denominator and say maybe this is working as  
designed. cakephp is open source so it may be easier to just look at  
the source and see whats' going on with it's auth process.

I guess what would be important to clarify is the request done by the  
second client flowing through cleanly or is it having to  
re-authenticate with the cookie? Thus now the apps detects it has two  
authenticated sessions with the same id?

If the server is disconnecting based on code on its side to invalidate  
the session if it sees a duplicate instance of an id, this may or may  
not show up in a request reply aka intercept proxy.

Jay

Quoting Kevin Stadmeyer <leviticus@...>:



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

CakePHP has open source, why not use it :)

http://api.cakephp.org/view_source/cake-session/#line-134 etc.

>>The probe I do is opening two sessions with two different users (one
>>in internet explorer and one in firefox). Then I copy the cookie
>>belonging to one user and substitute it in a request done by the other
>>user (using WebScarab). The app throws and error and disconnects the
>>validated and legal user.

Can you be more specific?  What is the actual response to the request (e.g. 302 redirect, 401 error page, 404 error page, etc). The server can certainly invalidate the session on the backend, but I don't know if I understand what you mean by "disconnects".  I assume you mean that session token simply becomes unusable?

>>I think that some info is stored in server side about the client who
>>owns each cookie.

The server only knows what the client told it, which is all contained within the request.  It is possible for the server to attempt to validate the IP address and/or some HTTP headers, such as user-agent and referer. Validating the headers is somewhat uncommon because they are so easily manipulated. I wouldn't go there first in terms of troubleshooting, but that could be it. If we're talking SSL, perhaps the SSL session id is somehow tied to the application session identifier?

Did the actual request with the appended cookie value fail?  What can happen is that the browser fetches other resources (images, etc) that don't contain the cookie you manually added.  This results in a failure (possibly a redirect), obscuring the fact that your "session hijacking" actually worked. I know I've missed this on occasion;-)

>>Is this possible? Is it the normal operation in sessions in CakePHP?

See "S I" response.  Cake has validating the user agent header as a config option it seems.


-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect@... and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.

While this communication may be used to promote or market a transaction
or an idea that is discussed in the publication, it is intended to provide
general information about the subject matter covered and is provided with
the understanding that The Principal is not rendering legal, accounting,
or tax advice. It is not a marketed opinion and may not be used to avoid
penalties under the Internal Revenue Code. You should consult with
appropriate counsel or other advisors on all matters pertaining to legal,
tax, or accounting obligations and requirements.

Since HTTP is a stateless protocol, the only way the server can relate a request to a user is to
maintain a session: in your case, with a cookie. But of course, it is possible to use ANY data in
the HTTP request to do this association (data which you CAN control, unless there is some encrypted
parameters) and maybe (unfortunately for you) some data you can not (like origin IP address, SSL ID).

So go ahead and play with the parameters you can control and try to reproduce the stolen session
request.

One more thing: are you considering the application business logic? Some applications require the
actions to be taken in a certain order. Ex: opA, opB then opC. Maybe you're "jumping" actions (going
from opA straight to opC) and that's why you're getting disconnected. Always consider the
application business logic.

By the way: you do not need to use different browsers to test sessions. You can run two instances of
firefox with the 'no-remote' command line option. This way you can have to different instances which
do not share cookies (you can also have two different firefox profiles running). This way you don't
have to copy the User-Agent header that IE is sending to the server.

Guillermo Caminer

Thanks for your ideas. I should look in the code before asking, the
answer were there :)
When I have substituted the UserAgent I were able to impersonate the
user/hijack the session without problem!

Thanks to all!

Since HTTP is a stateless protocol, the only way the server can relate a request to a user is to
maintain a session: in your case, with a cookie. But of course, it is possible to use ANY data in
the HTTP request to do this association (data which you CAN control, unless there is some encrypted
parameters) and maybe (unfortunately for you) some data you can not (like origin IP address, SSL ID).

So go ahead and play with the parameters you can control and try to reproduce the stolen session
request.

One more thing: are you considering the application business logic? Some applications require the
actions to be taken in a certain order. Ex: opA, opB then opC. Maybe you're "jumping" actions (going
from opA straight to opC) and that's why you're getting disconnected. Always consider the
application business logic.

By the way: you do not need to use different browsers to test sessions. You can run two instances of
firefox with the 'no-remote' command line option. This way you can have to different instances which
do not share cookies (you can also have two different firefox profiles running). This way you don't
have to copy the User-Agent header that IE is sending to the server.

Guillermo Caminer

Juan Kinunt wrote:

It's very easy to get the ip of the client and invalidate the session
if the session (obtained from the cookie) and the ip do not match what
the app has stored from previous requests.

Maybe is your case.

BR

--
You never see animals going through the absurd and often horrible
fooleries of magic and religion... Dogs do not ritually urinate in the
hope of persuading heaven to do the same and send down rain. Asses do
not bray a liturgy to cloudless skies. Nor do cats attempt, by
abstinence from cat's meat, to wheedle the feline spirits into
benevolence. Only man behaves with such gratuitous folly. It is the
price he has to pay for being intelligent but not, as yet, quite
intelligent enough.
(Aldoux Huxley)

It has become almost a cliche to remark that nobody boasts of
ignorance of literature, but it is socially acceptable to boast
ignorance of science and proudly claim incompetence in mathematics.
(Richard Dawkins)

Most people would sooner die than think; in fact, they do so.
(Bertrand Russell).

Either you repeat the same conventional doctrines everybody is saying,
or else you say something true, and it will sound like it's from
Neptune.
(Noam Chomsky)