Hello! All. Today I am going to talk something about cookies, (not those which you eat) specifically about authentication cookies.
A brief for those who do not know what cookies are:
Plainly, a cookie is some data which is provided by websites you visit, which stores information about your activity such as logged in, or logged out, and/or your browsing preferences in case you are visiting google, or YouTube, et al.
Did you notice how searching for songs once on google and clicking on the result fetches that result in your next search?
Have you ever wondered how YouTube suggests you 'related' and/or 'recommended' videos?
The answer is, via Cookies.
Hope you understood what cookies are, at least blunt enough.
Okay! So now let me begin with my module wherein I am going to show you where exactly the cookies are actually stored in the browser, and I will later on show you how to use other user's cookies for fun and profit.
Tools required:
* Browser (Mozilla Firefox recommended)
* Account in way2sms (as I am taking example of way2sms here)
* Cookie editing plugin (Cookie Manager) on Firefox
Step 1: Login to your way2sms account. (Lets call it victim's account)
Step 2: Open Cookie Manager and search for cookies from way2sms domain, and look for the parameter 'JSESSIONID'.
Step 3: Copy the value of that parameter from the cookie.
Step 4: Open another browser (probably Chrome, with cookie editor/manager installed) or even a private tab in Firefox will do.
Step 5: Login to another way2sms account, probably any account different from the previous one. (Lets call it attacker's account)
Step 6: Repeat step 2.
Step 7: Change the value of the parameter JSESSIONID of the cookie with the previous value (which you had copied earlier).
Step 8: Reload the page.
Step 9: Provide the login details of attacker's account and login.
Thats it! You will be logged in as the victim instead of attacker.
Alternative method?
Okay! There's another simple method which doesn't involve use of any plugin.
Step 1: Just login as victim.
Step 2: Copy the URL completely:
Example:
http:// site24 . way2sms . com/ebrdg?id=AABDA654EEE776118554CAB2EA9xxxxxxxxxxx
Step 3: Paste this URL in a private tab or in a different browser.
Step 4: Login using the attacker account. (Any account except the victim's account)
Thats it! You will be presented with the session of victim's account instead of yours.
Thats all folks!
Will be back with a new post soon!
Regards,
itsmeRiF
ls -1
echo 0
shut
A brief for those who do not know what cookies are:
Plainly, a cookie is some data which is provided by websites you visit, which stores information about your activity such as logged in, or logged out, and/or your browsing preferences in case you are visiting google, or YouTube, et al.
Did you notice how searching for songs once on google and clicking on the result fetches that result in your next search?
Have you ever wondered how YouTube suggests you 'related' and/or 'recommended' videos?
The answer is, via Cookies.
Hope you understood what cookies are, at least blunt enough.
Okay! So now let me begin with my module wherein I am going to show you where exactly the cookies are actually stored in the browser, and I will later on show you how to use other user's cookies for fun and profit.
Tools required:
* Browser (Mozilla Firefox recommended)
* Account in way2sms (as I am taking example of way2sms here)
* Cookie editing plugin (Cookie Manager) on Firefox
Step 1: Login to your way2sms account. (Lets call it victim's account)
Step 2: Open Cookie Manager and search for cookies from way2sms domain, and look for the parameter 'JSESSIONID'.
Step 3: Copy the value of that parameter from the cookie.
Step 4: Open another browser (probably Chrome, with cookie editor/manager installed) or even a private tab in Firefox will do.
Step 5: Login to another way2sms account, probably any account different from the previous one. (Lets call it attacker's account)
Step 6: Repeat step 2.
Step 7: Change the value of the parameter JSESSIONID of the cookie with the previous value (which you had copied earlier).
Step 8: Reload the page.
Step 9: Provide the login details of attacker's account and login.
Thats it! You will be logged in as the victim instead of attacker.
Alternative method?
Okay! There's another simple method which doesn't involve use of any plugin.
Step 1: Just login as victim.
Step 2: Copy the URL completely:
Example:
http:// site24 . way2sms . com/ebrdg?id=AABDA654EEE776118554CAB2EA9xxxxxxxxxxx
Step 3: Paste this URL in a private tab or in a different browser.
Step 4: Login using the attacker account. (Any account except the victim's account)
Thats it! You will be presented with the session of victim's account instead of yours.
Thats all folks!
Will be back with a new post soon!
Regards,
itsmeRiF
ls -1
echo 0
shut