In our previous articles we discussed first what is a cookie and second how to write a program in Java that dumps the cookies owned by a user.
The last step is to inject that dump into the attacker’s browser, so that it will be possible to impersonate the victim.
Let’s begin by writing the Java program. Of course we are going to use the same JDBC library already shown in the previous article and the same Firefox browser.
Our function needs some import directives:
After that we initialize some useful objects, in particular we open the cookies.ck backup file generated in the previous article, and the cookies.sqlite which belongs to the attacker’s browser.
Also in this case, we surround our program with a try-catch block so that we can handle any possible exceptions. Inside this block, first of all we generate a connection to the SQL database:
Then, since we want to impersonate the victim’s sessions, we delete all the items already contained inside our database:
At this point we read the cookies.ck file and we separate the different parts of a cookie by using the same special character used in the program shown in the previous article. For each of these items we save the value and then we inject everything on our database.
Keep in mind that column names used in lines 17-20 are the ones presented in the first article. Before you run this script, check if the Firefox database has been modified.
Before we jump to the conclusions, let’s try to test the complete solution in our system. Open Firefox and in the address bar, type the following URL:
In this page you can find a summary of the available profiles in your Firefox installation:
For example, in my case I have a default profile, stored in xx9bjil6.default-release and a second one in 3qa3hoju.default.
Since each of them is a separate Firefox setup, we can pretend to be in two different systems:
- the victim‘s one in ..\Profiles\xx9bjil6.default-release;
- the attacker‘s one in ..\Profiles\3qa3hoju.default.
As discussed in the previous article, we visited the Facebook web page with the defaul profile. If you visit again the Facebook wep page with this profile, you should be redirected into your home page without inserting any credentials. This means that inside the victim’s cookies.sqlite database we have all the necessary for run this experiment.
We can’t say the same with the second profile. Infact if you open a Firefox session whit this one by clicking into Launch profile in new browser and you visit the Facebook web page, you should see the login page. No session cookies have been created for this profile:
Always in the last article, we also executed the script presented, by doing that we dumped the entire victim’s SQL database in a file called cookies.ck.
It’s time now to run the program discussed in this article, paying attention in specifying the correct cookies.ck path and the attacker’s cookies.sqlite path, which in my case is in:
Now, restart Firefox and open the same page by typing the address:
Looking at the second profile section (the one which has the Default Profile item set to No), click on Launch profile in new browser. This will open a new Firefox window with this profile.
Now, visit the Facebook page and, if everything was successfully, you should be redirected into your Facebook profile, although you haven’t put any credentials before.
In this article we have finished our discussion about cookies and security. As usual, you can download the complete project at this link.
We have seen why cookies are useful and why they can be considered a risk. We presented a first program that can dump a Firefox database, and then another program that can inject this dump into another Firefox instance. Finally, as an example, we have seen how this can be used for accessing to the Facebook web page of another user.
The only way for defending our privacy in this case is to:
- don’t leave our computer unattended;
- periodcally log out from any web site on the Internet;
- install only certified sofware.
Last but not the least, remember that these articles are for educational purpouse only! Don’t run these programs on computer that are not yours!