utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Firesheep;
2,324 views
Skip to first unread message
hlexa
Nov 9, 2010, 3:39:57 PM11/9/10
to Firesheep
HI!
Sorry about posting this on Codebutler. I hadn't noticed the link to
this groupe.
Anyway. I'll try here. And with a ouple of refrasings.
What does this code do?
: Cookie:
: __utma=xxxxxxxxx.yyyyyyyyyy.zzzzzzzzzz.aaaaaaaaaa.bbbbbbbbbb.c;
: __utmb=xxxxxxxxx.y.zz.aaaaaaaaaa; __utmc=bbbbbbbbbb;
: __utmz=xxxxxxxxx.yyyyyyyyyy.z.a.utmcsr=google|utmccn=(organic)|
: utmcmd=organic|utmctr=Firesheep; PHPSESSID=0ezzzzzzz
The above is all on the one and same line. It's copy-pasted here from
a Usenet posting.
I'm trying to make a script to capture the session when I login to
http://www.version2.dk. A Danish site. However, modifying the default
script in Firesheep fails to produce a link in the Sidebar (Firefox
3.6.12, Mac OS X 10.5.8).
I captured the cookie-setting packet containing the above code with
Ethereal. It gets sent twice.
The packet seems to be using something from Google and Firesheep
appears in the code.
Any ideas?
Cheers.
Sorry about posting this on Codebutler. I hadn't noticed the link to
this groupe.
Anyway. I'll try here. And with a ouple of refrasings.
What does this code do?
: Cookie:
: __utma=xxxxxxxxx.yyyyyyyyyy.zzzzzzzzzz.aaaaaaaaaa.bbbbbbbbbb.c;
: __utmb=xxxxxxxxx.y.zz.aaaaaaaaaa; __utmc=bbbbbbbbbb;
: __utmz=xxxxxxxxx.yyyyyyyyyy.z.a.utmcsr=google|utmccn=(organic)|
: utmcmd=organic|utmctr=Firesheep; PHPSESSID=0ezzzzzzz
The above is all on the one and same line. It's copy-pasted here from
a Usenet posting.
I'm trying to make a script to capture the session when I login to
http://www.version2.dk. A Danish site. However, modifying the default
script in Firesheep fails to produce a link in the Sidebar (Firefox
3.6.12, Mac OS X 10.5.8).
I captured the cookie-setting packet containing the above code with
Ethereal. It gets sent twice.
The packet seems to be using something from Google and Firesheep
appears in the code.
Any ideas?
Cheers.
craSH
Nov 9, 2010, 8:54:52 PM11/9/10
to Firesheep
This just means you searched for Firesheep somewhere and that search
term was placed in the cookie.
From http://www.randycullom.com/chatterbox/archives/2008/10/google_analytic.html
-
"utmctr = The keyword phrase someone typed into the search engine.
Really useful this one, however remember it shows the last search
data, not how someone originally found you."
-Ian
On Nov 9, 12:39 pm, hlexa <hl...@hotmail.com> wrote:
> HI!
>
> Sorry about posting this on Codebutler. I hadn't noticed the link to
> this groupe.
>
> Anyway. I'll try here. And with a ouple of refrasings.
>
> What does this code do?
>
> : Cookie:
> : __utma=xxxxxxxxx.yyyyyyyyyy.zzzzzzzzzz.aaaaaaaaaa.bbbbbbbbbb.c;
> : __utmb=xxxxxxxxx.y.zz.aaaaaaaaaa; __utmc=bbbbbbbbbb;
> : __utmz=xxxxxxxxx.yyyyyyyyyy.z.a.utmcsr=google|utmccn=(organic)|
> : utmcmd=organic|utmctr=Firesheep; PHPSESSID=0ezzzzzzz
>
> The above is all on the one and same line. It's copy-pasted here from
> a Usenet posting.
>
> I'm trying to make a script to capture the session when I login tohttp://www.version2.dk. A Danish site. However, modifying the default
term was placed in the cookie.
From http://www.randycullom.com/chatterbox/archives/2008/10/google_analytic.html
-
"utmctr = The keyword phrase someone typed into the search engine.
Really useful this one, however remember it shows the last search
data, not how someone originally found you."
-Ian
On Nov 9, 12:39 pm, hlexa <hl...@hotmail.com> wrote:
> HI!
>
> Sorry about posting this on Codebutler. I hadn't noticed the link to
> this groupe.
>
> Anyway. I'll try here. And with a ouple of refrasings.
>
> What does this code do?
>
> : Cookie:
> : __utma=xxxxxxxxx.yyyyyyyyyy.zzzzzzzzzz.aaaaaaaaaa.bbbbbbbbbb.c;
> : __utmb=xxxxxxxxx.y.zz.aaaaaaaaaa; __utmc=bbbbbbbbbb;
> : __utmz=xxxxxxxxx.yyyyyyyyyy.z.a.utmcsr=google|utmccn=(organic)|
> : utmcmd=organic|utmctr=Firesheep; PHPSESSID=0ezzzzzzz
>
> The above is all on the one and same line. It's copy-pasted here from
> a Usenet posting.
>
hlexa
Nov 10, 2010, 6:54:52 PM11/10/10
to Firesheep
Ah ha! Thanks a lot, Ian.
hlexa
Nov 19, 2010, 6:04:21 PM11/19/10
to Firesheep
Another question.
I've written a script that worked on the above mentioned site.
However, the link appears twice in the Firesheep sidebar.
// Author:
// hlexa
register({
name: "Version2",
url: 'http://www.version2.dk',
domains: [ 'version2.dk' ],
sessionCookieNames: [ 'PHPSESSID' ],
processPacket: function () {
var ID = this.firstPacket.cookies['PHPSESSID'];
this.sessionId = ID;
},
identifyUser: function () {
var resp = this.httpGet(this.siteUrl);
// this.userName = var resp = this.httpGet(this.siteUrl);
this.userName = "Axel, or perhaps Jesper";
}
});
Like I say, it worked - past tense. I posted it to the site in a
comment, because the site is a news site for "IT Professionals".
They've written several articles about Firesheep where they point the
finger at Twitter and Facebook - about how easy they were to Side
Jack.
Anyway, my posting was removed and they now claim that I had
encouraged others to steal user-id's on the site - which I certainly
had not!
And I also got banned from the site. Speak of double standards!
Anyway, why does the link appear twice in the sidebar with the code
here?
I'm also working on another script for a very similar site where I
still have logon - almost the same script - just with different values
for "utl:" and "domains:". This time, Firesheep also produces two
links in the sidebar. However, when i study the output at the bottom
of the sidebar (this could be improved if one could also copy the
contents - that's not possible in OS X) the two session cookies are
different.
I can see that the first session cookie is set and hijacked by FS just
after the browser (IE8) opens the HP - the second one efter I logon.
It doesn't make any difference if I remove the "processPacket:" block.
BTW, what does block do?
The first time I just got an error message, about there being
different sites, but I fixed that by commenting out the line "var resp
= this.httpGet(this.siteUrl);".
Cheers
hlexa
I've written a script that worked on the above mentioned site.
However, the link appears twice in the Firesheep sidebar.
// Author:
// hlexa
register({
name: "Version2",
url: 'http://www.version2.dk',
domains: [ 'version2.dk' ],
sessionCookieNames: [ 'PHPSESSID' ],
processPacket: function () {
var ID = this.firstPacket.cookies['PHPSESSID'];
this.sessionId = ID;
},
identifyUser: function () {
var resp = this.httpGet(this.siteUrl);
// this.userName = var resp = this.httpGet(this.siteUrl);
this.userName = "Axel, or perhaps Jesper";
}
});
Like I say, it worked - past tense. I posted it to the site in a
comment, because the site is a news site for "IT Professionals".
They've written several articles about Firesheep where they point the
finger at Twitter and Facebook - about how easy they were to Side
Jack.
Anyway, my posting was removed and they now claim that I had
encouraged others to steal user-id's on the site - which I certainly
had not!
And I also got banned from the site. Speak of double standards!
Anyway, why does the link appear twice in the sidebar with the code
here?
I'm also working on another script for a very similar site where I
still have logon - almost the same script - just with different values
for "utl:" and "domains:". This time, Firesheep also produces two
links in the sidebar. However, when i study the output at the bottom
of the sidebar (this could be improved if one could also copy the
contents - that's not possible in OS X) the two session cookies are
different.
I can see that the first session cookie is set and hijacked by FS just
after the browser (IE8) opens the HP - the second one efter I logon.
It doesn't make any difference if I remove the "processPacket:" block.
BTW, what does block do?
The first time I just got an error message, about there being
different sites, but I fixed that by commenting out the line "var resp
= this.httpGet(this.siteUrl);".
Cheers
hlexa
Reply all
Reply to author
Forward
0 new messages