I’ve seen where the reporting functionality may be a bolted on third party application that uses it’s on session handling which would call another cookie. One example of this is when a web application has some reporting piece to it. In this scenario you can wipe your hands clean knowing that you’ve correctly identified the cookie that properly handles the session but sometimes other cookies will appear within the same application when you stumble across other functionality. I did go ahead and delete all the cookies except for bb_sessionhash and I maintained session so the other cookies have nothing to do with session in this instance. It’s also a good idea to delete all the cookies except for bb_sessionhash or your particular cookie in question. So now we have identified the cookie that maintains session for this application. Next let’s try the getting rid of the bb_sessionhash cookie via the same method.Īfter the bb_sessionhash cookie is removed we do indeed loose the authenticated features of the “My Profile” page as seen below. We can see this in the browser as shown in the screenshot below. After forwarding the request it did indeed bring me to my profile so the IDstack cookie isn’t responsible for handing the session. So I deleted the IDstack cookie to see if it had any affect on session. In this example I clicked on my profile because some portions of the profile require authentication to view. Below is a screenshot of me performing that action. One of the quick and easy ways to determine which cookie is truly used for session is to intercept a request that requires authentication, manually delete that cookie and see if you get kicked out of the application. At this point it’s a safe bet to say that either IDstack or bb_sessionhash is responsible for handling session to ubuntu forums. Now we have two additional cookies (bb_sessionhash and IDstack) that get submitted with each request. Now let’s authenticate and see what other cookies come into play. We’re lucky in some sense as these cookies are fairly descriptive, often times cookies have nondescript names which makes it even more difficult to understand their functionality.
Here we see that simply going to the forum home page without authenticating we get two cookies “bb_lastvisit” and bb_lastactivity”. Below is the screen shot of Burp making the first couple of requests to. So configure burp to capture traffic and make a request to Ubuntu forums.
I’m going to take a look at ubuntu forums as an example. Hopefully my technique of determining cookie functionality will also help others as well. There are times when other cookies are used as well and when testing web applications it may be difficult to determine what cookie is associated with session and functionality. Cookies are used to maintain state within the application and typically only one cookie is needed within the application. When testing web applications you may come across an application that passes a ton of cookies along with each request.
0 kommentar(er)
