CSE 466: Project 4
Sidejacking web site cookies (firefox)
Due Date: Nov 21st, start of class
Method of submission: Print out only
Projects MUST be done in groups of two

Note: This project is being deprecated. It worked on a variety of popular websites till 2015. In 2016 it worked against Ebay. This year it does not work on most sites – the web security is getting better. However, part-1 of the project works on any site that has user accounts (google, yahoo, amazon, etc)

Warning: These instructions are meant to provide you training with security issues. You are advised to implement this project on your personal machines, or on Virtual Machines owned by you, or provided through the class. Use these instructions to hack into accounts owned by you, or get explicit permission from a ‘friend’ to hack into their account.  Hacking a real account without permissions is a BAD idea – it is a criminal offense. You may be even jailed for it.

These instructions are intended to train computer security professionals, not to help criminals.

Information: This project is about sidejacking – stealing session cookies. Sidejacking is typically done via intercepting cookies from (wireless) networks. Different websites handle cookies differently. The project decription says Ebay, but other sites will work too.

There are two parts to the project. Part one the cookies are stolen via cut-paste and not via network. This is easy and cannot be done by an attacker. The second part is hacking – stealing cookies off of the wireless network. This is attack territory and is harder.

Part 1:

Sidejacking using cookie editor (easy)

Start any two virtual machines using Vmware.  Install Firefox if not already present. Get cookie editor from the following site (https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/?src=search)

Start with a Ebay account. Log into one account on one VM using firefox – call this account V.  Browse some items and check your connection is using http and not https. Open cookie editor on firefox running account V, type in ebay in the filter/search box, and copy the contents for the session cookies and store it somewhere that you can easily access.  Now move to the other VM, and visit Ebay and log in using an account that is not-V.  Open another tab in firefox and close the tab running account not-V, do not close firefox as closing firefox will flush cookies out (requiring extra work for you to create all Ebay cookies from scratch).  Open cookie editor and again type in Ebay in the filter box.  Edit cookies and paste the values you had previously copied from account V.  Of course you can choose not to previously copy and do on-the-fly copying.  Once you are done copying the values, save and close cookie editor.  Type in ebay.com and presto – you should have account V running on this machine instead of account not-V.

Tasks:

Part 1:

1.      Snapshot:  the desktop of the two virtual machines, clearly mark which VM will be used to execute the victim account and which will execute the Cracker account.

2.      Snapshot: home page for two Ebay logins once you complete login.

3.      Snapshot: cookie values of session cookies for V.

4.      Snapshot: cookie values of session cookies for account not-V.

5.      Snaphot: Show new values pasted into the machine running account not-V.

6.      Snapshot: Show Ebay account V executing instead of account not-V.

----------------------------------

Part 2 does not work – unless if you find a site that uses http for browsing even when you are logged on (signed–in) to the site. The text here, is left from last year, just for FYI.

----------------------------------

Part 2: (leniently graded) Due Date: Nov 30 [This part will be graded leniently, attempting will get you points even if you are not successful]

There is a vulnerability on the Yahoo EBAY site, at the moment. If you log into Ebay and do searches it uses an insecure connection. Since this connection transmits cookies, it is possible to steal the cookies and use them to masquerade a user without having to sign-on.

Sidejacking via Wireless Network (not easy)

 [This part should NOT be done on ASU encrypted wifi and possibly it will not work. Do not use any public WiFi where other people may be using ebay. It should work on open wifi or even WPA encrypted wifi (shared key).]

This part is to do the same as part one, but to steal the cookies over the air using an attack machine connected to the same wireless network. We will not be doing a MITM, though MITM would work rather nicely too.

1.      Get two physical machines. One the attack machine install a wireless network sniffer (such as Wireshark, Kismet or use a hacking Linux distro called Kali). Make sure you know how to use it and packet sniffing works. Use the attack machine to watch packets being sent/received by the victim machine as you browse various sites on victim machine.

2.      The victim machine can be any OS (Windows will work). On victim machine, log into Ebay. Then browse…. And capture all packets from/to Ebay via the attack machine.

3.      On attack machine log into The Not-V Ebay account and go to the search page. Then identify the session cookies used on victim machine, and install them on the browser (like part 1). Continue browsing on attack machine and note that you will be on victims account.

Submit screenshots of what you achieved.