1

I have tried with Postman with some SessionId to post authentication post request. My question, is very similar like this Post, It is:

If a use java program to get a user sessionId ( stored in cookie) and send it to e.g. google for authentication for session hijacking, is it possible? If it is not possible, why Postman Interceptor can do it successfully?

Community
  • 1
  • 1
PigeonIsBigBird
  • 39
  • 7
  • I think Java sessions work about the same as asp.net sessions, and I have successfully demonstrated session hijacking of those by hand using two browsers. For a countermeasure, we had to recreate the session at login time, and accompany it with a second random cookie. – Paul Kienitz Oct 13 '15 at 18:33
  • @PaulKienitz That is to say, this Question is right? – PigeonIsBigBird Oct 13 '15 at 18:42
  • That doesn't say anything about the other question. But Java is not a special programming language that is restricted to do good things or so. Postman as plugin has a far easier time to access cookies since it's already inside chrome then a program that tries to access the cookies from the outside. Maybe they are still stored in that sqlite file which makes it easy to access them from the outside. Maybe it changed. But what you can be sure of is that, if possible in any languge, it's also possible with Java (worst case you have to use native bindings). – zapl Oct 13 '15 at 18:47
  • @zapl is it possible, I get another user sessionId (through installed java programm in this user) and send it to google for authenticaion? – PigeonIsBigBird Oct 13 '15 at 19:25

0 Answers0