Cenzic 232 Patent
Paid Advertising
web application security lab

Proxy Server Cookie Stuffing

The 100 embassy passwords that were compromised in the middle of 2007 through compromised Tor exit nodes has always stuck with me. Simply sniffing passwords is a great way to gain a ton of intel about the traffic that’s going over the networks. But what about other bad things?

Two “attacks,” if you can call them attacks, sprung to mind when I heard about that. The first was changing banner ads. You can change one banner ad to be another banner ad, and get the additional revenue associated with that. Doing may or may not prove to be lucrative because people using proxies generally aren’t clicking on a lot of ads - or if they are, they aren’t the brightest bulbs.

However, cookie stuffing is actually a slightly more feasible attack. By putting reseller cookies in the browser for every request made to a partner’s website, it’s entirely possible that some of the people who use the proxy will forget to clean their cookies upon closing down the proxy. Hackers hacking hackers. Of course, again if someone is using a proxy to anonymize themselves and they don’t clear cookies too, they probably need to get hit with a clue stick.

8 Responses to “Proxy Server Cookie Stuffing”

  1. yawnmoth Says:

    With regard to ad replacement… there are some companies that partner with ISPs to do just that:

    http://en.wikipedia.org/wiki/NebuAd
    http://en.wikipedia.org/wiki/Phorm

    etc.

    As for cookie stuffing… I’d say the more serious problem is cross domain cookie stealing. You visit website A and only website A, but… website A could be rewritten, by the proxy, to contain a hidden iframe to http://gmail.com/. Your browser then sends your cookies to gmail.com, since you didn’t clear them before hand, and the proxy then intercepts them.

    Indeed, if your on a LAN and the attacker knows this, you could, it stands to reason, also intercept cookies for internal.domain.tld. You could also insert, it stands to reason, a Java applet to bypass the browsers proxy settings and read content on a users LAN. The Java applet could then connect to the proxy server and send the content in such a way that the proxy server would log it.

    Cookies, that the hidden iframe determined, could be passed to the Java applet, as well, if necessary.

  2. anonymous Says:

    Hi ,

    so am a noob to the terminology — I understood what you meant by cookies not being cleaned etc. .. but what does Reseller stand for? who is the reseller and the partner ?

    could you elucidate with an example ?

  3. RSnake Says:

    @yawnmoth - that was the Tor problem (already discussed) but I agree - that is the primary problem (sniffing/credential theft).

    @anonymous - reseller is someone who is selling something on behalf of the partner. So a partner would be amazon, and the reseller would be the hacker who wants to stuff the Amazon cookie with his own reseller ID so that when the victim visits Amazon some time later and buys something they are going to give the hacker some small amount of money as a referral.

  4. yawnmoth Says:

    Cookie stuffing:

    http://www.benedelman.org/cookiestuffing/

    The article uses the term affiliates but, in my mind, they’re pretty much the same thing.

  5. mamad Says:

    plz send porxy for me .i need a proxy thanks

  6. spascho Says:

    nice and useful article,it’s very useful for those who use http://vpnomania.com/proxy-surf.html and http://world-secure-channel.com/why

  7. masoud Says:

    i want new proxy surf

  8. Ron Says:

    mamad… Are you retarded? How did you get a computer? You should turn it off and read a book.

    “plz send porxy for me .i need a proxy thanks”

    i just want to slap some intelligence into people like this.