0

This page exposes the cookie session name and that is has to be set to give access to the super secret key. Can this be hacked, like setting the cookie remotely somehow and in that case how? 

<?php 
isset($_SESSION) ? true : session_start();
isset($_SESSION['sure_you_have_access']) ? true : exit("NO ACCESS session cookie sure_you_have_access isnt set :S");

echo "Here is the super secret key ABC123, that you shouldn't be able to read unless the session cookie variable sure_you_have_access is set to anything. "; ?>
K. Kilian Lindberg
  • 2,918
  • 23
  • 30
  • Umm, whats the value of the variable? Just having it set (without checking the value) is kind of pointless. – Burhan Khalid Jan 19 '14 at 16:58
  • 2
    I can set a cookie value to whatever I want using browser debug tools, or use curl with a manually set cookie value.... all I need to know is the session cookie name (default to PHPSESSID for PHP), and the cookie value of a user that has a valid session – Mark Baker Jan 19 '14 at 16:59
  • @Burhan_Khalid well.. the question is kind of just that. I wouldnt say it's pointless. Since normally if it isn't set it wouldnt give access – K. Kilian Lindberg Jan 19 '14 at 16:59
  • @MarkBaker thanks, so then it can be set via like Firebug/Chrome debug tool and the secret key would be exposed easily. thanks – K. Kilian Lindberg Jan 19 '14 at 17:02
  • 1
    Well, theo-practically yes a browser session can be hijacked by guessing a session ID. One technique I know from the back of my head is generating a random nonce for each page and require the client to send that nonce for each sub-sequent access. It's harder for an attacker to guess something that changes with every single page access on top of a session ID. You can also take things like user agent and IP address changes into account in order to harden your security. – tiguchi Jan 19 '14 at 17:03
  • Okay I could set a cookie with Chrome developer tools -> console by entering javascript such as ... document.cookie="sure_you_have_access=now_its_set_yay" and viewing all cookies with alert(document.cookie) .. but still all the session variables are set via a cookie variable named something like PHPSESID with the value kd93cjqi5vt8395dt5r7dboam7 .. which in it's turn can contain the session variable sure_you_have_access set or not set. So actually how can knowing the session variable name of sure_you_have_access be used as a vulnerability – K. Kilian Lindberg Jan 19 '14 at 19:19
  • Ok, So I guess in this case a hacker would have to go trough something like (24+10)^26 different strings set to PHPSESID with the variable sure_you_have_access = "anything" to get the key ABC123.. So yep, it's a vulnerability to expose that info even though that could be easily be stopped anyhow quite easily in different ways – K. Kilian Lindberg Feb 03 '14 at 12:51

0 Answers0