DannyCore
|
  |
| Joined: 25 Apr 2012 |
| Total Posts: 990 |
|
|
| 31 Dec 2012 01:59 PM |
what is the value encrypted in?
don't delete this post for I am just asking a simple question that could lead me to finding some neat stuff editing cookies. hehe |
|
|
| Report Abuse |
|
|
|
| 31 Dec 2012 02:03 PM |
| I doubt that it is any plaintext encrypted, and probably more a random XOR'd session id. |
|
|
| Report Abuse |
|
|
DannyCore
|
  |
| Joined: 25 Apr 2012 |
| Total Posts: 990 |
|
|
| 31 Dec 2012 02:10 PM |
thanks and it is somewhat encrypted in XOR. when I decrypt it it comes in complete gibberish. i forgot what that word is for when the text is in random symbols.
anyway what does .ROBLOSECURITY contain in it? and is it worth it to edit some things which = fun? |
|
|
| Report Abuse |
|
|
|
| 31 Dec 2012 02:37 PM |
I honestly doubt you decrypted it, especially since there is no way to tell if you have the correct XOR key or if it is a pass phrase instead.
And no, there is no reason. It is several hundred characters long, meaning that if you just randomly changed letters it would not even remotely work, and it only has info to link your browser to a session on the server. |
|
|
| Report Abuse |
|
|
NVI
|
  |
| Joined: 11 Jan 2009 |
| Total Posts: 4744 |
|
|
| 31 Dec 2012 02:44 PM |
"The SessionID property is used to uniquely identify a browser with session data on the server. The SessionID value is randomly generated by ASP.NET and stored in a non-expiring session cookie in the browser. The SessionID value is then sent in a cookie with each request to the ASP.NET application."
It's a randomly generated identifier. Editing changes nothing. Learn about sessions. |
|
|
| Report Abuse |
|
|
Merely
|
  |
| Joined: 07 Dec 2010 |
| Total Posts: 17266 |
|
|
| 31 Dec 2012 02:44 PM |
| It's encrypted server-side. |
|
|
| Report Abuse |
|
|
NVI
|
  |
| Joined: 11 Jan 2009 |
| Total Posts: 4744 |
|
|
| 31 Dec 2012 02:45 PM |
Although, it is perfectly possible to obtain someone else's session ID from this cookie if you have access to it. Means you'll login as them.
Connor and I have done that before, and it can be done again. There's no way to safeguard against it:
"The SessionID is sent between the server and the browser in clear text, either in a cookie or in the URL. As a result, an unwanted source could gain access to the session of another user by obtaining the SessionID value and including it in requests to the server. If you are storing private or sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the SessionID."
It's just how sessions work. |
|
|
| Report Abuse |
|
|
stravant
|
  |
 |
| Joined: 22 Oct 2007 |
| Total Posts: 2893 |
|
|
| 31 Dec 2012 03:41 PM |
It isn't _even_ encrypted.
There's nothing to encrypt, it's just a number. |
|
|
| Report Abuse |
|
|
DannyCore
|
  |
| Joined: 25 Apr 2012 |
| Total Posts: 990 |
|
|
| 31 Dec 2012 05:37 PM |
but what do the numbers mean do they just put a letter/number inbetween every word or number ID or something like A1A0A1A0 or 0H8E8L2L5O1 i just found out they can't be edited since it won't do anything but how would you go by accessing another persons account via cookies? |
|
|
| Report Abuse |
|
|
DannyCore
|
  |
| Joined: 25 Apr 2012 |
| Total Posts: 990 |
|
|
| 31 Dec 2012 05:38 PM |
| and I'm doing this for the good because i want to figure out HOW to do so |
|
|
| Report Abuse |
|
|
|
| 31 Dec 2012 05:44 PM |
| Is it some sort of way to identify unique users? Are all users numbered? |
|
|
| Report Abuse |
|
|
DannyCore
|
  |
| Joined: 25 Apr 2012 |
| Total Posts: 990 |
|
|
| 31 Dec 2012 05:46 PM |
everytime you go on a roblox page there is a .ROBLOSECURITY cookie that has all your login information inside it.
i'm just trying to figure out how they can log on to another users account by knowing their .ROBLOSECURITY |
|
|
| Report Abuse |
|
|
|
| 31 Dec 2012 05:47 PM |
| What if you replace your .ROBLOSECURITY with theirs? |
|
|
| Report Abuse |
|
|
DannyCore
|
  |
| Joined: 25 Apr 2012 |
| Total Posts: 990 |
|
|
| 31 Dec 2012 05:48 PM |
fffffffffffffffffffffffffffffffffffffffffffffffffffffffff
i wasn't even thinking about that. i shall try it in just a bit, maybe it will work. |
|
|
| Report Abuse |
|
|
|
| 31 Dec 2012 05:54 PM |
it worked. wuuzaaaa. i'm about to try this on a friend just for fun(i'll give him back his acc)
thanks asumpwner |
|
|
| Report Abuse |
|
|
DannyCore
|
  |
| Joined: 25 Apr 2012 |
| Total Posts: 990 |
|
|
| 31 Dec 2012 05:54 PM |
omg wrong account thatwasme |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 31 Dec 2012 06:01 PM |
Let's clear up some misconceptions.
.ROBLOSECURITY is encrypted by the server. However, decrypting it isn't feasible client-side, so it isn't done.
Also, the fact that you can gain access to someone else's account if you have their .ROBLOSECURITY isn't a flaw. It's how cookies work. Just don't give out your cookies, ever! |
|
|
| Report Abuse |
|
|
DannyCore
|
  |
| Joined: 25 Apr 2012 |
| Total Posts: 990 |
|
|
| 31 Dec 2012 06:09 PM |
haha the way you said it "Just don't give out your *cookies*, ever!" an't nobody taking my cookies :<
anyway are google chrome extensions or other outside applications on our computer able to see our cookies. I know applications are but what about google chrome extensions? |
|
|
| Report Abuse |
|
|
stravant
|
  |
 |
| Joined: 22 Oct 2007 |
| Total Posts: 2893 |
|
|
| 31 Dec 2012 07:20 PM |
"but what do the numbers mean"
It doesn't mean anything to anyone but the server.
You can think of the server as having a big table of those numbers, and associated with each number is a value saying "XXX account is logged in", then the server will let you do things as that account.
Basically, that number is a "secret key" that your browser passes the site, much like a p4ssword. The difference from just sending your p4ssword is that with such a key, the key can change often, and be much longer than a p4ssword. |
|
|
| Report Abuse |
|
|
DannyCore
|
  |
| Joined: 25 Apr 2012 |
| Total Posts: 990 |
|
|
| 31 Dec 2012 08:06 PM |
| your so smart stravant that you saved my day |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 31 Dec 2012 10:50 PM |
> You can think of the server as having a big table of those numbers, and associated with each number is a value saying "XXX account is logged in", then the server will let you do things as that account.
That's a good guess, but wrong. When you make a request to a web page, the server decrypts your .ROBLOSECURITY cookie to determine information, such as when the cookie was created or your username.
And this is why session fixation is a problem. If .ROBLOSECURITY was merely a key in a table, it would simply be a matter of removing that particular entry whenever the user logged out. |
|
|
| Report Abuse |
|
|
|
| 31 Dec 2012 11:07 PM |
| The cookie itself has no information.. |
|
|
| Report Abuse |
|
|
|
| 31 Dec 2012 11:18 PM |
| I just realized that if you had the algorithm that converts the session number into the content of the cookie, you could actually brute-force it and not have the problem of CAPTCHAs... I mean, it'd probably be even longer than brute-forcing a pw, but you won't have the problem of CAPTCHAs or flood checkers... |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 31 Dec 2012 11:19 PM |
| Wrong. The cookie does contain information. Google "FormsAuthenticationTicket" if you don't believe me. |
|
|
| Report Abuse |
|
|
|
| 31 Dec 2012 11:20 PM |
"That's a good guess, but wrong. When you make a request to a web page, the server decrypts your .ROBLOSECURITY cookie to determine information, such as when the cookie was created or your username."
I doubt that. When the cookie is created is already stored in another cookie and I think it can also be provided by the web browser. As for the username, if the cookie contained only the time of creation and the username, then someone could steal any account only by having the algorithm used by ROBLOX to encrypt them...
Then, again, it would also make sense.. |
|
|
| Report Abuse |
|
|