How Do I Read My Password From a Cookie?

[WubbaLubbaScrubScrub]

Hi. I'm sure that this barely fits into the category... But for my science fair I'm testing how safe public Wi-fi is so I downloaded wireshark so I could capture my own cookies. I was wondering how (if possible) I would be able to read user names and or passwords to sites through the HTML that I have from the cookies. Don't worry, I am only grabbing my cookies and I'm doing this to highlight safety issues.

[+virtorio MVC]

Any unsecured cookies can be captured by examining HTTP headers. Most websites don't store passwords in cookies (instead, they store some kind of access token), so keep that in mind.

[Circaflex]

You cannot extract passwords from cookies. This sure sounds like BLACKHAT and not WHITEHAT testing, also you are a newly registered account here with 1 post. I doubt your claims are legitimate. 

[WubbaLubbaScrubScrub]

Thanks! One of my main questions was "Can I find my user names to sites using cookies", SOOO do you happen to know anything about finding user identification using cookies? 

1 minute ago, Circaflex said:

You cannot extract passwords from cookies. This sure sounds like BLACKHAT and not WHITEHAT testing, also you are a newly registered account here with 1 post. I doubt your claims are legitimate. 

Sorry, yeah I just found out about the site. Would you like some entries from my log book?

[WubbaLubbaScrubScrub]

I get that I seem really sketchy XD

 

[Jim K Global Moderator]

They don't.

[WubbaLubbaScrubScrub]

1 minute ago, Jim K said:

They don't.

Thanks for taking time to reply, but I don't understand what you're referring to. I'd be grateful if you would clarify.

[exotoxic]

Well you could start by installing a browser plugin that lets you read cookies from your browser that way you can find out for yourself what they store.

[WubbaLubbaScrubScrub]

3 minutes ago, exotoxic said:

Well you could start by installing a browser plugin that lets you read cookies from your browser that way you can find out for yourself what they store.

Hi! thanks but I'm doing the project as if I'm taking someone's information via session hijacking. So I downloaded Cookie Cadger and Wireshark. I capture my own cookies from there and I can read them, but the most information im getting is what site ive visited my CPU ETC I'm trying to see where in the code I might be able to find sometype of identification like me email address.

[exotoxic]

2 minutes ago, WubbaLubbaScrubScrub said:

I'm trying to see where in the code I might be able to find sometype of identification like me email address.

I think you might be in over your head. Any properly coded site wont be leaking the sort of information you are looking for.

 

The best way for you to demonstrate it would be to code up a sample page that sets a cookie then capture that.

[Circaflex]

14 minutes ago, WubbaLubbaScrubScrub said:

Thanks for taking time to reply, but I don't understand what you're referring to. I'd be grateful if you would clarify.

What Jim is saying, is that usernames and passwords are not stored in cookies. Cookies contain a random string from the website serving you.

[WubbaLubbaScrubScrub]

Do you want a sample of the HTML that I have?

 

[WubbaLubbaScrubScrub]

Just now, Circaflex said:

What Jim is saying, is that usernames and passwords are not stored in cookies. Cookies contain a random string from the website serving you.

 Thank you. Although I don't agree with random. Most of my research was based off of Firesheep (Oct 24, 2010) which is outdated, it was supposed to display the user names of the people using the wifi using information from their cookies. From there you were supposed to be able to click on the packet and it would take you to one of 24? websites depending on which one they used. From there you could change minor pieces of their information on their profile. of course this is before these websites (for example Twitter and Facebook) started using stronger encryption, arguably what started them doing so. Or at least thats what ive heard

[Shiranui]

Are login credentials EVER stored in cookies?

[WubbaLubbaScrubScrub]

I assume they are not currently, but it seems to me part of them might have been at one point in time. Thank you for your time, and i hope you still regard me with respect regardless of my incompetence.

[WubbaLubbaScrubScrub]

i would also like to ask if you could maybe find some of this information in sessions?

[+Matthew S. Subscriber²]

Modern websites generally only ever store the session ID in the cookie, then the site's backend does some magic lookup (like verifying the origin IP to the stored session IP) against the session data stored on the server.

[LaP]

1 hour ago, exotoxic said:

Well you could start by installing a browser plugin that lets you read cookies from your browser that way you can find out for yourself what they store.

You don' need a plugin for that. F12 > Storage > Cookies in Firefox.