In the previous article we saw what is a cookie and how this element might represent a threat for our systems.
We also saw where the browsers, in particular Firefox, store these cookies during our sessions.
Today we are going to analyze how to write a Java program that dumps this information into a separate file and then injects those cookies in another browser.
This will allow us to assume identity of another user in those sites in which the user was authenticated.
We will prove it, by accessing to our Facebook profile using another browser in which we haven’t logged in.
Let’s begin by generating session cookies as a user would normally do.
Open Firefox and visit the Facebook web page. If you have already logged in, you will see the home page of your profile open.
If you haven’t yet, accept the cookies by pressing on Accept All (if asked) and insert your credentials.
From now on, everytime you visit the Facebook page, you will be redirected to your profile page.
According to what we saw in the previous article, if you open the cookies.sqlite database, you should see now some entries labled as facebook.com.
Of course what we are going to discuss is valid with the majority of the web sites out there and with any browsers: it only changes the way how each one stores cookies in your system.
If you don’t have a Facebook account, try with Gmail, Amazon or other sites.
Accessing SQL Database
At this point, what we have to do is to find a way in Java to access the SQL DB in which we have our cookies.
A very useful libraries is the Java Database Connectivity (JDBC) API which is the industry standard for database-independent connectivity between the Java programming language and a wide range of databases.
The JDBC API provides a call-level API for SQL-based database access.
We start by installing this library into a Java project. In my case I’m going to use IntelliJ IDEA as IDE, you can freely download the Community edition via this link.
Once done that, visit this page and download the last jdbc jar archive available (sqlite-jdbc-version.jar). At the time of writing I can download the 3.14.2 version.
Once downloaded, from Intellij IDEA create a new project and then click on File -> Project Structure -> Modules –> + -> 1 JARs or directories.
Select and import the jar previously downloaded.
From now on we can use the JDBC API for accessing to SQL database.
Dump the Database
It’s time to write some Java code, in particular we want to open the Firefox database and then dump its content in a file that we will use later.
First of all, let’s import the libraries needed:
Now, inside our main, starting from the database analyzed in the previous article:
we define some strings for the most important column names, that is the ones that contain important information for replicating the cookie functionality.
These column names are related to the database configuration at the time of writing.
In order to successfully run this experiment, I reccomend you to check the database structure and align the code with the correct column names.
We are ready to define the function that will be responsible for dumping the victim database.
Let’s assume the victim uses Firefox and has his profile stored at the following location on his hard drive:
If you want to see where Firefox stores the cookies in your system and which profile you are currently using, open a tab in the browser, digit about:profiles into the URL bar, and then click ENTER.
We prepare some objects and variables necessary, in particular we open the cookies.sqlite file with the cookieStore object.
After this preliminary operations, in a try – catch block, we prepare a backup of the database, and an object called out used for printing on a text file named cookies.ck.
then we generate a connection to the SQLite DB and we send a query for selecting the whole content:
Once done that, in the result object we get a list of items contained inside the database.
We loop into this list until we have elements available and we save the whole content in our cookies.ck file.
Since we need, in a second moment, to read this file and recover the cookies we use a special character in order to separate the different values.
We end our first function by closing everthing and handling possible exceptions.
If you need, here you can download the complete code for what we have discussed.
What we need to do now, is to call the function DonwloadCookies that we have discussed. You should get the cookies.ck file in the directory of the program.
This is a very important file which contains the cookies owned by the victim and that we will use in the next article in order to inject the victim’s cookies into the attacker’s one.