After a longer break I have finally decided to get back to doing some bounties, and I am really excited for that. First, I needed a break. Second, I was heavily invested in Web Development and have learned a ton in that sector. There is a lot of interesting stuff I have in my pipeline that will be very interesting for all of you Bug Hunters. Instead of just jumping in again, I decided to take a learning path on TryHackMe. Web Fundamentals to be concrete. I already know most of the stuff in there, but it can never harm to re-connect those synapses. As I have just started a day ago and it’s already Friday, there is not too much to share this week. I basically have just learned about how cookies work and thought I share.
What are Cookies exactly?
I’m just going to save you from a stupid cookie joke at this point. Cookies generally have a large number of uses. In most cases, they are used for session management and advertising (tracking cookies).
HTTP is stateless. That means, we need Cookies to keep track of things. Those things include but are not limited to:
Items in a shopping cart, who you are, what you have done on the website so far, authentication information, etc.
Cookies have certain properties, see below.
- A name
- To identify the cookie
- A value
- That’s where data is stored
- An expiration date
- When the browser get’s rid of the cookie (ex. 30 days)
- That determines what requests cookies will be sent with
When you log into a website, you are given a session token. This token allows the server to differentiate your requests from another user’s. As you probably know, cookies can be stolen to impersonate someone else.
To understand how cookies work, we need to know how to manipulate them. There are a gazillion way to manipulate cookies, let me quickly show you two. In this example I use Adam Langley’s excellent CTFChallenge.co.uk website.
Using Developer Tools
In Chrome, you can just press F12 and go to Application and select Cookies in the left pane. In FireFox it is also F12 and then you find the Cookies within the Storage tab.
Here, I could just double-click inside of the Cookie string, change it, and send the request again with another cookie.
To be able to access VULNLTD’s site, you have to be logged in to Adam’s CTFChallenge.co.uk.
Hence, if I open the same website inside of a incognito window, I am not able to access the site, due the lack of the cookie:
If I now go ahead and copy the cookie from the left window (the logged in session) to the right, unauthenticated window and hit F5 to refresh:
Voila, we are in. You get the gist of it I guess?
We can also use Curl with cookies. To do that, we need the name of the cookie and it’s value. We know which is which by simply looking at the tab in dev tools.
Let’s try to send a GET request to Adam’s challenge without being authenticated.
Huh, didn’t work? Of course not! But Adam gives us a hint. Let’s try that again:
curl -H "Cookie: ctfchallenge=MyCookie" <http://www.vulnrecruitment.co.uk/>
Awesome! Now we also know that Adam doesn’t like to write CSS and uses Bootstrap. I think that should get the point across.
Other tools to modify and send cookies with
- Burp Suite
- Browser Dev Tools
- Probably tons of other tools
Now you should know how cookies work.
Ah, writing that was fun! I am excited to get back to this after taking a break. I think if you are a Bug Bounty beginner, now is the right time to jump in, as I start from the beginning again as well. Those posts will be weekly on Fridays.
Check out older episodes of The Bug Bounty Diaries here.