Blog

‘Hacking’ Rails session (Zagorski Software Tester)

On March 30, 2013, in Syndicated, by Association for Software Testing
0

One of important security attack vector in web applications is cookie session content. Rails security guide gives all relevant information which data could be stored in cookie session.
I will explain how you could obtain cookie session object content (I learned about that from this blog post). First, get the application cookie. Hit F12 in Chrome, switch to network tab, log in to application that you are testing and select POST authentication request. In response object find Set-Cookie header, and copy cookie value. Cookie ends with ‘;’ character.
Start irb, Ruby interpreter. First decode cookie string value, and then de-marshal it. Here is Ruby code:  

1: require ‘base64’
2: plain = Base64.decode64(cookie)
3: data = Marshal.load(plain)

Tip: if you get exception in third line, you need to include with require statement package that contains reported class.

data is Ruby hash object that represents Rails session.

 

Comments are closed.


Looking for something?

Use the form below to search the site:


Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!