@digitalwarhead.bsky.social
Success is not final; failure is not fatal: it is the courage to continue that counts.
https://darknetdiaries.com/
https://darknetdiaries.com/
A picture worth 0x3E8 words at Bsides Seattle. @00wham.bsky.social
April 19, 2025 at 4:51 PM
A picture worth 0x3E8 words at Bsides Seattle. @00wham.bsky.social
We intercept the login request as Admin, swap in the cookie we created for Tom, and boom — we're logged in as him! 🕵️ This is cookie hijacking in action. Weak session cookies can expose accounts. Secure cookies save lives! 🛡️
November 24, 2024 at 9:59 PM
We intercept the login request as Admin, swap in the cookie we created for Tom, and boom — we're logged in as him! 🕵️ This is cookie hijacking in action. Weak session cookies can expose accounts. Secure cookies save lives! 🛡️
The decoded cookies reveal plain text:
Webgoat: nzozZtxkdKtaogbew
Admin: nzozZtxkdKnimda
Reversing these strings, we see the username is reversed at the end.
To impersonate Tom, we reverse “Tom,” encode it in hex, then Base64. Crafting Tom’s session cookie lets us hijack his account! 😱
Webgoat: nzozZtxkdKtaogbew
Admin: nzozZtxkdKnimda
Reversing these strings, we see the username is reversed at the end.
To impersonate Tom, we reverse “Tom,” encode it in hex, then Base64. Crafting Tom’s session cookie lets us hijack his account! 😱
November 24, 2024 at 9:59 PM
The decoded cookies reveal plain text:
Webgoat: nzozZtxkdKtaogbew
Admin: nzozZtxkdKnimda
Reversing these strings, we see the username is reversed at the end.
To impersonate Tom, we reverse “Tom,” encode it in hex, then Base64. Crafting Tom’s session cookie lets us hijack his account! 😱
Webgoat: nzozZtxkdKtaogbew
Admin: nzozZtxkdKnimda
Reversing these strings, we see the username is reversed at the end.
To impersonate Tom, we reverse “Tom,” encode it in hex, then Base64. Crafting Tom’s session cookie lets us hijack his account! 😱
Authentication cookies like spoof_auth are often Base64 encoded. If predictable, they can be exploited! Logging in with credentials we know of such as Webgoat and Admin, we find:
Webgoat: NmU3YTZm...
Admin: NmU3YTZm...
Decoded, these cookies reveal hex patterns. Time to exploit them! 🔓
Webgoat: NmU3YTZm...
Admin: NmU3YTZm...
Decoded, these cookies reveal hex patterns. Time to exploit them! 🔓
November 24, 2024 at 9:59 PM
Authentication cookies like spoof_auth are often Base64 encoded. If predictable, they can be exploited! Logging in with credentials we know of such as Webgoat and Admin, we find:
Webgoat: NmU3YTZm...
Admin: NmU3YTZm...
Decoded, these cookies reveal hex patterns. Time to exploit them! 🔓
Webgoat: NmU3YTZm...
Admin: NmU3YTZm...
Decoded, these cookies reveal hex patterns. Time to exploit them! 🔓