• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0

How Do I Read My Password From a Cookie?

Question

WubbaLubbaScrubScrub    1

Hi. I'm sure that this barely fits into the category... But for my science fair I'm testing how safe public Wi-fi is so I downloaded wireshark so I could capture my own cookies. I was wondering how (if possible) I would be able to read user names and or passwords to sites through the HTML that I have from the cookies. Don't worry, I am only grabbing my cookies and I'm doing this to highlight safety issues.

Share this post


Link to post
Share on other sites

17 answers to this question

Recommended Posts

  • 0
virtorio    2,534

Any unsecured cookies can be captured by examining HTTP headers. Most websites don't store passwords in cookies (instead, they store some kind of access token), so keep that in mind.

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
Circaflex    3,368

You cannot extract passwords from cookies. This sure sounds like BLACKHAT and not WHITEHAT testing, also you are a newly registered account here with 1 post. I doubt your claims are legitimate. 

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
WubbaLubbaScrubScrub    1

Thanks! One of my main questions was "Can I find my user names to sites using cookies", SOOO do you happen to know anything about finding user identification using cookies? 

1 minute ago, Circaflex said:

You cannot extract passwords from cookies. This sure sounds like BLACKHAT and not WHITEHAT testing, also you are a newly registered account here with 1 post. I doubt your claims are legitimate. 

Sorry, yeah I just found out about the site. Would you like some entries from my log book?

Share this post


Link to post
Share on other sites
  • 0
WubbaLubbaScrubScrub    1

I get that I seem really sketchy XD

 

Share this post


Link to post
Share on other sites
  • 0
Jim K    10,334

They don't.

Share this post


Link to post
Share on other sites
  • 0
WubbaLubbaScrubScrub    1
1 minute ago, Jim K said:

They don't.

Thanks for taking time to reply, but I don't understand what you're referring to. I'd be grateful if you would clarify. :)

Share this post


Link to post
Share on other sites
  • 0
exotoxic    560

Well you could start by installing a browser plugin that lets you read cookies from your browser that way you can find out for yourself what they store.

Share this post


Link to post
Share on other sites
  • 0
WubbaLubbaScrubScrub    1
3 minutes ago, exotoxic said:

Well you could start by installing a browser plugin that lets you read cookies from your browser that way you can find out for yourself what they store.

Hi! thanks but I'm doing the project as if I'm taking someone's information via session hijacking. So I downloaded Cookie Cadger and Wireshark. I capture my own cookies from there and I can read them, but the most information im getting is what site ive visited my CPU ETC I'm trying to see where in the code I might be able to find sometype of identification like me email address.

Share this post


Link to post
Share on other sites
  • 0
exotoxic    560
2 minutes ago, WubbaLubbaScrubScrub said:

I'm trying to see where in the code I might be able to find sometype of identification like me email address.

I think you might be in over your head. Any properly coded site wont be leaking the sort of information you are looking for.

 

The best way for you to demonstrate it would be to code up a sample page that sets a cookie then capture that.

Share this post


Link to post
Share on other sites
  • 0
Circaflex    3,368
14 minutes ago, WubbaLubbaScrubScrub said:

Thanks for taking time to reply, but I don't understand what you're referring to. I'd be grateful if you would clarify. :)

What Jim is saying, is that usernames and passwords are not stored in cookies. Cookies contain a random string from the website serving you.

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
WubbaLubbaScrubScrub    1

Do you want a sample of the HTML that I have?

 

Share this post


Link to post
Share on other sites
  • 0
WubbaLubbaScrubScrub    1
Just now, Circaflex said:

What Jim is saying, is that usernames and passwords are not stored in cookies. Cookies contain a random string from the website serving you.

 Thank you. Although I don't agree with random. Most of my research was based off of Firesheep (Oct 24, 2010) which is outdated, it was supposed to display the user names of the people using the wifi using information from their cookies. From there you were supposed to be able to click on the packet and it would take you to one of 24? websites depending on which one they used. From there you could change minor pieces of their information on their profile. of course this is before these websites (for example Twitter and Facebook) started using stronger encryption, arguably what started them doing so. Or at least thats what ive heard

Share this post


Link to post
Share on other sites
  • 0
Shiranui    1,821

Are login credentials EVER stored in cookies?

Share this post


Link to post
Share on other sites
  • 0
WubbaLubbaScrubScrub    1

I assume they are not currently, but it seems to me part of them might have been at one point in time. Thank you for your time, and i hope you still regard me with respect regardless of my incompetence.

Share this post


Link to post
Share on other sites
  • 0
WubbaLubbaScrubScrub    1

i would also like to ask if you could maybe find some of this information in sessions?

Share this post


Link to post
Share on other sites
  • 0
Matthew S.    336

Modern websites generally only ever store the session ID in the cookie, then the site's backend does some magic lookup (like verifying the origin IP to the stored session IP) against the session data stored on the server.

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
LaP    1,845
1 hour ago, exotoxic said:

Well you could start by installing a browser plugin that lets you read cookies from your browser that way you can find out for yourself what they store.

You don' need a plugin for that. F12 > Storage > Cookies in Firefox.

  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.