 We have our topology 7 set up in VRTNET with our five nodes running and we now want to perform some web application attacks. So the scenario is that node 4 is running our real web server with the MyUniGrading system. There's a router that's connecting the browsers to the server. So the first attack that we want to look at is a very simple cookie stealing. So the idea is that when the user on the web browser say on node 1 logs in, the state information about that login is stored on the browser using a cookie. So you need to study the basics of HTML, HTTP and cookies to understand how a browser and a web server maintain state information about a login and that's using cookies. So as an attack, because the cookie which is stored locally on the browser is used to identify the user, if someone else can obtain those cookies, they can steal those cookies then they could login as that user. So then the question is how could another user such as a user on node 2 obtain the cookies of the user on node 1. There are different approaches and it depends upon the scenario. In real life it may be as simple as if it's a shared computer, some users logged in and they haven't logged out then another user can come along and steal the cookies. If we didn't have access to the node 1's computer then if we could access a device in between the browser and the server we may better capture the packets sent between the browser and server and steal the cookies that way. Or we could use a more advanced attack where we have a web application that tries to steal the cookies using say cross-site scripting. In this demo I want to show how we can see the cookies in the browser and we'll do a simple stealing using capturing on the router assuming our malicious user can also capture files or capture packets on the router. The normal user on node 1 lets log in to our grading system and look at the cookies. Normally Lynx doesn't save cookies. We can use a special config file which is included, if we just ls there's a Lynx config file which sets it up to save cookies in a file. And if we look at that config file that says save all cookies and save them in a file in our home directory called dot Lynx cookies. We'll have a look at that in a moment. So I'm going to start Lynx but I'm going to load the config file which is Lynx.cfg and access the website for the MyUnion. So in this mode Lynx browser should save our cookies and we'll be able to look at them later. We log in and let's say as a user s1234567 enter the password and log in and it logs in. It doesn't prompt us about saving cookies because it's automatic in this case or allowing cookies. We're logged in and we can view our grades. We can view all the grades of our courses in this case. Okay in Lynx there are different ways to look at the cookies. If you do ctrl K it shows your cookie jar. And in this case we only have one cookie in the cookie jar and it's for the site www.myunion.edu. And some information stored in that cookie, the username. The ID hash is created by the web application as used to as essentially as a hash of the username and the password so that the the web server when the browser accesses that web server again the web server can identify it as the same user that accessed before. So to maintain that state information. And there are some other properties of the cookies there about the expire date and some security parameters. The ID hash is the important thing that should be unique to the user. One who has that can log in as the the current logged in S1234567 student. So cookie stealing attack will try to steal this these values. If we quit Lynx we can also see that saved in the Lynx cookies file. So the cookies are saved in a file and a format where they're tab separated. So there are two values here the username is saved and the ID hash is saved. So the cookie stealing attack involves someone trying to obtain those values. Let's try it via a capture. What we're going to do is on the router run TCP dump to record the packets going between the browser and the web server when that user logs in. So on node one let's just clear the cookies so delete that file and log in again. Just clear that and in a moment on node one we'll log in as the normal user. But before we do that we'll go to node three and let's say the malicious user has access to node three and they can capture the packets. So what they want to do is capture the cookie value and then they can steal it. So we can use two TCP dump to capture packets and some different approaches we can capture the packets using TCP dump and save them in a file right to a file and then we'll open that file in Wireshar. If you want to do it all in line you can capture the packets and display them as they go but you're really only interested in some packets the HTTP packets. So this is a complex way to use TCP dump to capture and show just the HTTP packets. We will not try that we'll save to a file and open in Wireshar. In interface ETH1 let's write to cookies.pcap. Network we're now capturing on node three the router. Go back to node one so now the normal user logs in or accesses the website logs in. 1 2 3 4 5 6 7 enters their password they log in and they can view their grades. And now let's go to the capture and the aim here is in this capture which will stop is that inside that capture we'll be able to see the cookies. Now in this demo it's not so good because if we look in the capture we'll see we can actually see the username and password and a better thing than stealing the cookie is to steal the username and password. But in other scenarios that may not be possible we may only get the cookies. So now let's look at this capture file in Wireshar. And because it's on node three I need to copy this capture file from node three to my host computer my windows computer. I'll use filezilla to do that and I'll connect to the local host using a network password network and node three 2203. Actually I'll do it via the site manager because I need to specify the the protocol is sftp by default it goes to ftp so I'll do it here 2203 local host network network connect. We're connected to node three and we see in there that there's cookies.pcap and I'm going to download that to my windows computer and now we'll open that in Wireshar. So here we have our our captured packets in Wireshar. We want to look at the HTTP packets we'll filter on that and we can see if we zoom in now that there are a number of HTTP requests and replies between our normal user on the browser and my uni web server. Now if we look closely we'd see the username and password in there in the login request but let's say we just captured some of the later requests not the login for example this query get for the query page let's open that and have a look and if we look inside this request send from the browser to the server for the browser to identify the user each time it sends a cookie and inside that cookie is the values of the username field and the id hash field the username is the user the student login the id hash is some representation of the a unique identifier for that user you need to look at the how the web application is implemented on the server to see how that's generated but let's say the malicious user has learned these values now they know the values of the username and id hash of another user so essentially they've stolen the cookie and now the malicious user can open up a browser set their cookie to use these values so that they log in as this user let's try that so we're our malicious user who's now on node two they captured on node three now they're going to open their browser on node two and we'll use links and we'll set the config to use the config that saves cookies first we'll log in as our normal user so let's say our malicious user is the student s followed by seven zeros they log in they're allowed to log in what this malicious user wants to do is see the grades of the other user the s1234567 they cannot the nature of the application is that it doesn't let one user see another user's grades and one student see another student grades so let's quit this and note that inside the cookies saved so the cookies for this s70s user are saved here that identifies that user but we've previously learned that the username and id hash of the other user so let's change our cookies so here our malicious user changes the username to be 1234567 and changes the id hash to match the one that they stole there's long one e8 let's get this right seven six f6 five four nine f nine three six three nine a a a four nine six a f five one five six one four b eight six one four b eight and we'll save that file so what we've done is the malicious user on node two has set the cookies that their browser is going to use to use the values stolen from the other user we'll save that yes save that now we'll open our browser again and it will load those cookies and note because it loads those cookies which contains the username s 1234567 and the corresponding id hash which is allocated to that user we're automatically logged in as user s 1234567 so our malicious user on node two our user s followed by seven zeros has stolen the cookie of the other student user and by stealing those cookies it allows them to log in as that other student user and of course view their grades now our malicious user sees the grades of the other student so that's a quick demonstration of cookie stealing attack the idea is that one user wants to obtain the cookies of another user the method we used in this case was that we the malicious user had access to an intermediate device that would allow them to capture the packets which contain the cookies between the browser and web server that's not always possible a more advanced attack would be for the malicious user to have a website that somehow causes the my uni web server to send the cookies to their malicious web server a cross-site scripting attack can can do that