Monday, January 17, 2011

COOKIE STEALING OR POISONING



So let see Wat n all the definitions available for COOKIES In the Planet:

“”Cookies are programs that Web sites put on your hard disk. They sit on your computer gathering information about you and everything you do on the Internet, and whenever the Web site wants to it can download all of the information the cookie has collected.”” [wrong]

Coookies are programs, Are u gone Insane,Heckkkkk….!! It’s a Parameter Used in the Web Prg Lanuage, used By POST,GET Methods..


POST-METHOD> Is for Posting the Contents In the web browser login page or form…Wat was Stored in Users Web Browser Or Harddisk



GET METHOD->Used to retrieve the Stored Contents on the Harddisk With the proper Mathching of ID From the webserver,,!! The records have been Pulled and Showed In Home LOGIN PAGE Or FORM Page by Post Methods..!!




And Niggas Here Is the r8 Definition, Don ask Stupid Ques..Right is Always Right One..
A cookie is a piece of text that a Web server can store on a user's hard disk. Cookies allow a Web site to store information on a user's machine and later retrieve it. The pieces of information are stored as name-value pairs.




So We now Knew Cookies Sits on ur hard Drive(Class Bench) With ID Name(Student Name), The teacher Calls KEVIN, “Come Forward With ur Assignment”, Probably Kevin gets his ass along with him to the Teachers Cabin, So if Cookie with ID name Called By Tha Web Server it must Go..FATE…!! lol

The most common place for them to Place their Ass Safe is in d directory called c:windowscookies. When I look in that directory on my machine(NO LATE NIGHTACTIVITY),LOL…SOMETIMES AM A BAD ASS PSYCHO…..!!.But I find 165 files. Each file is a text file that contains name-value pairs, and there is one file for each Web site that has placed cookies on my machine.

Cookie Poisoning attacks involve the modification of the contents [[[i.e Like Changin the Clothes and appearences, if u chased By F.B.I In newyork City streets]]] of a cookie (personal information stored in a Web user's computer) in order to bypass security mechanisms. Using cookie poisoning attacks, attackers can gain unauthorized Access[lLIKE ILLEGAL AFFAIR…!! lol] information about another user and steal their identity.




Ok Be Serious Now..!! Gotta Pay more attention

Detail Portrays OF Scenario :
Many Web applications use cookies to save information (user IDs, passwords, account numbers, time stamps, etc.).about timestamp Protocol We Discuss Later In This Weeks threads,TRUST ME..Coz it’s a Imp One too, In TCP/IP Prg or in Network prog…!!!lets comeback.. The cookies stored on a user's hard drive maintain information that allows the applications to authenticate the user identity, speed up transactions, monitor behavior, and personalize content presented to the user based on identity and preferences. For example, when ur GF/BF/Spouse/Babysitter(Do u think Babysitter use Computers,ter are some hi tech Babysitters too in U.S Those are HOT,Hard to rent them) logs into a Web site that requires authentication, a login CGI validates his username and password and sets a cookie with a numerical identifier in the user's browser. When the user browses to another page, another CGI (say, preferences.asp) retrieves the cookie and displays personalized content according to the values contained in the cookie.




Cookie poisoning is in fact a Parameter Tampering attack As I Said Before in the Introduction Part, where the parameters are stored in a cookie. In many cases cookie poisoning is more useful than other Parameter Tampering attacks because programmers[Creative Thinkers Who Lives in a imaginary World ill say] store sensitive information in the allegedly invisible cookie.
For example, consider the following request: This is Just an Fictious link to make u understand better.:)
GET /store/buy.asp?checkout=yes HTTP/1.0 Host: www.hackersbay.in
Accept: */* Referrer: http://www.hackersbay.in/showprods.asp
Cookie: SESSIONID=570321ASDD23SA2321; BasketSize=3; Item1=2892;
Item2=3210; Item3=9942; TotalPrice=16044;
In this example, the dynamic page requested by the browser is called buy.asp and the browser sends the parameter checkout to the Web server with a yes value, indicating that the user wants to finalize his purchase. The request includes a cookie that contains the following parameters: SESSIONID, which is a unique identification string that associates the user with the site, BasketSize (how many items are in the purchase), the price of each item and the TotalPrice. When executed by the Web server, buy.asp retrieves the cookie from the user, analyzes the cookie's parameters and charges the user account according to the TotalPrice parameter. An attacker can change, for example, the TotalPrice parameter in order to get a "special discount".
Since programmers rely on cookies as a location for storing parameters, all parameter attacks including SQL Injection, Cross-Site Scripting, and Buffer Overflow can be executed using cookie poisoning.


Whooophh..!! Feel thE Unique Way of Learning With HACKERSBAY.IN, Coz learning Sorta Fun..!!

No comments:

Post a Comment