How to modify a Base64 encoded cookie?

[Big Boss]

Hi,

I was doing a test on a website and noticed that the cookie set by it can be Base64 decoded.

And upon decoding I saw the username with which I was logging in. Now I am hoping that I can login to another user's account just by changing the username in the cookie.

The problem is that I am not able to re-encode the string to Base64 after modifying the username or even without modifying. I believe its because of some unrecognizable characters.

The cookie value is :

BAh7CUkiD3Nlc3Npb25faWQGOgZFRkkiJWI4ZWNiNDFhMWI4NWZkOGFmOWYyZDEzYjA5MGU0OTFlBjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMWRYekVzWmZtcFArS1VaQUtnSWJ2YjJJZkRCWUZSNjc0Q2pZcGxkVHB2TFU9BjsARkkiEFV4eGVyTWFzdGVyBjsARnsGOgpsb2dpbkkiCmFkbWluBjsARkkiCm1vZGFsBjsARlQ=

Username: admin

Any help would be great.

[Andrew Fastow]

use python lib (http://docs.python.org/library/base64.html) do it.

1) save the output the original encoding 2 a file.
2) modify the file in a hex eidtor.
3) save the file again.
4) read() it in python and encode.

--
Get ready to Goa - nullcon Security Conference
http://nullcon.net
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/

[mayur singru]

Why don't you use CAL9000 a tool for encoding &  decoding or install the addon hack bar in  mozilla. 

--
Thanks & Regards,

Mayur Singru

[webDEViL]

HexOutput = 'BAh7CUkiD3Nlc3Npb25faWQGOgZFRkkiJWI4ZWNiNDFhMWI4NWZkOGFmOWYyZDEzYjA5MGU0OTFlBjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMWRYekVzWmZtcFArS1VaQUtnSWJ2YjJJZkRCWUZSNjc0Q2pZcGxkVHB2TFU9BjsARkkiEFV4eGVyTWFzdGVyBjsARnsGOgpsb2dpbkkiCmFkbWluBjsARkkiCm1vZGFsBjsARlQ='.decode('base64').encode('hex')

print HexOutput.replace("admin".encode('hex'),"webDEViL".encode('hex')).decode('hex').encode('base64')

This should help.

On Sat, Apr 14, 2012 at 4:28 PM, Andrew Fastow <aur...@gmail.com> wrote:

--
Regards,

webDEViL

http://twitter.com/w3bd3vil

[Anant Shrivastava]

any decent proxy will have options to decode base64 and reencode
directly.
stands true for
paros, zap, burp, webscarab.

even hackbar is a good option.

On Apr 14, 4:18 pm, webDEViL <w3bd3...@gmail.com> wrote:
> *HexOutput =
> 'BAh7CUkiD3Nlc3Npb25faWQGOgZFRkkiJWI4ZWNiNDFhMWI4NWZkOGFmOWYyZDEzYjA5MGU0OT FlBjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMWRYekVzWmZtcFArS1VaQUtnSWJ2YjJJZkRCWUZSN jc0Q2pZcGxkVHB2TFU9BjsARkkiEFV4eGVyTWFzdGVyBjsARnsGOgpsb2dpbkkiCmFkbWluBjsA RkkiCm1vZGFsBjsARlQ='.
> decode('base64').encode('hex')*
>
> *
> *
>
> *print

> HexOutput.replace("admin".encode('hex'),"webDEViL".encode('hex')).decode('h ex').encode('base64')

> *

>
> This should help.
>
>
>
>
>
>
>
>
>
> On Sat, Apr 14, 2012 at 4:28 PM, Andrew Fastow <aur0...@gmail.com> wrote:
> > use python lib (http://docs.python.org/library/base64.html) do it.
>
> > 1) save the output the original encoding 2 a file.
> > 2) modify the file in a hex eidtor.
> > 3) save the file again.
> > 4) read() it in python and encode.
>

[webDEViL]

Come on...I wrote such a nice script :P

[Ashutosh J]

Burp proxy has the decoder and encoder. You can use it. Apart from that  http://www.opinionatedgeek.com  has base64 encoder and decoder.

use it. 

[Akash]

I agree that was a nice script.

warm regards,
Akash Mahajan
--------------------------------------------------
Web/Network Security Consultant
--------------------------------------------------
akashm.com | @makash on twitter

[Dhiraj Ranka]

Use burp, that is more than sufficient for encoding and decoding.

 

@webDEViL: Your script was really very nice :)

 

--
Be in my web world,
http://dhirajranka.com/
http://twitter.com/dhirajranka/