The installation of a dug Choi, because want to sync the data, so the first test of a fan, but the cookie was found on this issue. By some means can forge other people's cookies to log in, you can access financial information, login to Forum, etc., if the forgery of the administrator, engage in off-the server should also not busy is difficult. only YY, not in-depth to. Specific details see the following details.
Dig the fortune cookie encryption strength is not enough, and only the authentication of the user name, The specific encryption algorithm want to a half day did not come up to mathematics all forget about it - - but be able to feel out is not complicated. cookie in the user field should be saved is the user registration email. Capture come up the cookie a look that is base64 encoded, after decoding is garbled, but using the hexadecimal representation can be seen in the number and registered mail number of bits is the same. Through the analysis found that, although each character in a different location on the encrypted value is not the same, but at the same position is unchanged, so we expect the following methods to forge a valid cookie.
Specific test procedure:
Yourself first register an account firstname.lastname@example.org fill some consumption records, as the attack target
Because we already know in the same position on the character after encryption the value is the same, so we need to register two accounts to splice this target user. Between the two users need to have a character of difference, so I registered the following two accounts: email@example.com firstname.lastname@example.org We only need the second user cookie is base64 decoded first character replace the first user base64 decoding after the first character, then base64 encryption, on completion of the forgery of the target user cookies in the process
The recording of the second user in the cookie base64 to decrypt the first character after the
Can see is 1 1 then the first user's cookie to be modified
The 1d modified to 1 1 and then again for base64 encryption, to generate the target cookie
Modify the cookie
To refresh the display has logged in.