I’m attempting to do some soon-to-be-routine testing for cookie value injection for some of my web apps (ASP.NET, if that ends up mattering). I’m trying to insert some Javascript and SQL-specific code for this, but having some problems.
I have FireFox, IE 7 and 8, and Chrome. FireFox’s Add N Edit Cookies extension won’t allow me to change the value to anything with a semicolon in it. Nirsoft’s IECookiesView won’t show the specific cookie I’m after at all (ASP.NET’s session ID cookie).
Are there any other utilities for editing cookies so that I can test this out? My Google-fu seems to be failing me with this one.
Type this into your address bar on the website of the cookie you want to edit. Keep in mind document.cookie is different depending on the domain you are currently viewing.
UNION ALL
SELECT lname FROM Employee
ORDER BY au_lname
Edit: Bobince is right about the semicolon, so here is sql injection without a semicolon.
javascript:document.cookie=”SESSID=’ union select password from users where id=1 — “;
Tamperdata an addon for firefox has pre-built sql injection and xss strings that you can use for testing outgoing requests. Another option is Acunetix which can test http server variables as well as cookie parameters for xss/sql injection and many more vulnerabilities. The Acuentix xss tester is free. w3af and wapiti are free and open source but they do not test cookie variables.