On 2001.12.27, Peter M. Jansson <[EMAIL PROTECTED]> wrote: > The one way cookies can help avoid hijacking is in a > security-through-obscurity sense, since it's more difficult to set a > cookie using the conventional command-line tools, or even through browsers > (browsers I use allow viewing and deleting of cookies, but not creation, > as far as I know).
Netscape has the option of "allow all cookies" or "allow cookies that get sent back to the originating server." So, if you just set "allow all cookies" then send your browser a set-cookie where domain= the domain you want to attack, setting cookies becomes pretty trivial. Also, if you use a tool like wget with --header="Cookie: ..." it's pretty easy to at least write something that brute-force attacks a website that uses session id's with cookies. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70)
