Cookie poisoning leads to DoS and Privacy Violation

When the verification goes wrong.

Avatar cookie contains the URL of the avatar image. But what if we change that?

When I was hunting on cs.money, I noticed that the avatar cookie had the url for the user’s avatar on Steam. I changed the cookie to the URL of some other image and I saw that it was loading on the main page.

Until here there is nothing very special. We can load other images rather than the expected one. So what?

Okay, I tried to chat with support and… my request got blocked. After playing around with the cookie value a little bit, I tried to insert part of the steam avatar url as a parameter for my server.

Privacy Violation

Yes, I was right. The server was not checking the URL properly. The back-end verification was something like this (pseudocode):

The right verification should be:

I got a request on my server from the supporter browser. It tries to load the image url by sending a HTTP request to my server. So now I have access to supporter IP Address and User-Agent.

Denial of Service

Now, think. What if instead of the hacker server, we insert the cs.money logout URL? Bingo!

The supporter browser makes a request to the logout URL and disconnect him.

Final thoughts

It is amazing to see how a small flaw, just a wrong verification o avatar cookie, have a impact like that.

Cs.money paid me a $ 500 reward (high impact at support.cs.money). As I had already reported the problem (able to change avatar to another images) and they closed as Not Applicable, they kindly gave me a $200 bonus. You can check my report here.

Let me know if you liked, clap!

--

--

--

Programmer, ethical hacker and pentester. 18 yo.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Laravel and Vue: Creating a Portfolio website with a CRUD admin panel — Chapter 17

Accelerated Signal Processing with GPU support

Hacking in PySpark: The Toolkit

Machine Learning From scratch | Part 3. Matrices and matrices Dot Product

Configuring and Mapping Multiple EIPs to ENI Using NAT Gateway

Optimization of Apache Flink for Large-State Scenarios

Take your testing to another level with ElasTest: the use case of Atos Wordline

A Detailed Guide on different type of Selenium WebDriver Wait

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Benjamin Walter

Benjamin Walter

Programmer, ethical hacker and pentester. 18 yo.

More from Medium

Analyzing log files — Juicy Details

Understanding Improper Asset Management

Revolutionizing Data Security by Design

Custom Metasploit Module for Log4Shell Scanner