FedSearch
ronin-rb · @ronin_rb
63 followers · 25 posts · Server infosec.exchange

Sneak peek at the new ronin-web session-cookie command coming in ronin-web-1.1.0:

$ ./bin/ronin-web session-cookie "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
$ ./bin/ronin-web session-cookie --verbose "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
Type: JWT
Header:

  {
    "alg": "HS256",
    "typ": "JWT"
  }

Params:

  {
    "sub": "1234567890",
    "name": "John Doe",
    "iat": 1516239022
  }

HMAC: "I\xf9J\xc7\x04IH\xc7\x8a(\\\x90O\x87\xf0\xa4\xc7\x89\x7f~\x8f:N\xb2%V\x9dB\xcb0\xe5"

#websecurity #sessioncookies #bugbountyhunters

Last updated 1 year ago
Original post

· @postmodern
873 followers · 569 posts · Server infosec.exchange

@wilson I had to figure out Django's weird "project" vs. "app" design, and wire up a "view" to set a "session variable" which apparently you do by modifying request.session, and set SESSION_ENGINE to ' django.contrib.sessions.backends.signed_cookies', but I finally got it:

Set-Cookie:  sessionid=eyJmb28iOiJiYXIifQ:1pQcTx:UufiSnuPIjNs7zOAJS0UpqnyvRt7KET7BVes0I8LYbA; expires=Fri, 24 Feb 2023 23:07:05 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax

The first part of the session cookie is the Base64 JSON serialized session variables. Second part appears to be the request ID or some kind of counter, and the third parts must be related to the HMAC:

If I set SESSION_SERIALIZER to 'django.contrib.sessions.serializers.PickleSerializer' (which is apparently getting removed in 5.0, but is probably still used), I get the pickled session variables:

Set-Cookie:  sessionid=gAWVEAAAAAAAAAB9lIwDZm9vlIwDYmFylHMu:1pQcay:RjaK8DKN4xXQ_APIXXWEyFS08Q-PGo6UlRBFpedFk9M; expires=Fri, 24 Feb 2023 23:14:20 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax

#django #sessioncookies

Last updated 2 years ago
Original post

· @postmodern
870 followers · 555 posts · Server infosec.exchange

Why is it so hard to get an example of what a Set-Cookie session cookie header looks like for Django? No, I don't want to know how to use cookies in a Django app, I want to see the raw HTTP output. I swear Google is getting worse.

#django #http #sessioncookies

Last updated 2 years ago
Original post