How to log in to FaceBook using an active session cookie in the DOM?

Navigation
4

I'm studying security on web applications.

For educational purposes, I logged into my facebook page and copied my active session cookie from document.cookie , then opened another browser, logged on to the facebook homepage (unlogged) and declared document.cookie = my cookie active session in another browser in string.

It did not work. So I downloaded an extension to Inject Cookie manually. I copied and put all cookies from my active session into the extension in the other browser and it also did not work.

My logic was simple: With a valid active session ID being declared in document.cookie the server should take me to the user page when giving refresh.

My question is: at what point is my logic wrong and why?

    
asked by anonymous 28.06.2015 / 07:08

2 answers

2

In order for it to work you must use a User-Agent header [Browser] Valid, This has to be updated, so you can use the live http headers [~ Chrome] extension to get the order data. I have already made several requests on Facebook, Only 2 cookies validate the session [The C_USER AND THE XS], You can use all [Time, Referer, etc]. to enter the user account or not. In addition to that request must be done through the SSL port [443].

Order EX: 

GET / HTTP/1.1
Host: www.facebook.com:443
Cookie: c_user=4; xs=44%código+time; csm=2;
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36

It's basically this to go to Facebook, Facebook uses the other Cookies to monitor your activity and log in to visited pages, as well as the Referer fields, and the time to visit.

I hope I've helped you and been useful in this response, Good luck!

    
05.07.2015 / 01:44
1

It's strange to ask, because what I just did at the beginning of this morning, basically you just fill in the variables see what they are with the debug as shown below:

Afterthat,simplyloadthecookieswiththefollowingvalues:

functionsetCookie(cname,cvalue,exdays){vard=newDate();d.setTime(d.getTime()+(exdays*24*60*60*1000));varexpires="expires="+d.toGMTString();
            document.cookie = cname+"="+cvalue+"; "+expires;
        }

setCookie('c_user',1234567890);
    
08.07.2015 / 19:07
Check for visible items inside a div Error "The resultSet is closed" with PreparedStatement