1
1
.
.
7
7
.
.
1
1
T
T
h
h
e
e
o
o
r
r
y
y
-
-
N
N
o
o
r
r
m
m
a
a
l
l
U
U
s
s
e
e
r
r
I
I
n
n
t
t
e
e
r
r
a
a
c
c
t
t
i
i
o
o
n
n
I
I
n
n
f
f
o
o
User sends initial/first HTTP Request to a Web Application.
Web Application returns Login Form to Authenticate the User.
User must enter his
Username to tell the Web Application who he is
Password to prove to the Web Application that he really is who he is claiming to be
If User is properly Authenticated (Password matches the provided Username) Web Application sends HTTP Response
informing User that he was able to log in (or simply forwarding User to the Page where User can make further actions)
that includes Session Cookie that is stored locally on User's Browser to identify him during subsequent HTTP Requests
After that every time a User sends a HTTP Request to this Web Application, Session Cookie created by that Web
Application is also sent with the HTTP Request to automatically Authenticate User into Web Application.
At some point, while using Gmail, User might decide to change the Password.
After entering new Password and pressing Submit following HTTP Request will be sent to Gmail to change the Password.
Gmail will change the Password because HTTP Request will contain Session Cookie to automatically Authenticate User.
HTTP Request to change Password
https://www.gmail.com/changepassword?newpassword=mynewpassword
A
A
u
u
t
t
h
h
e
e
n
n
t
t
i
i
c
c
a
a
t
t
e
e
Authentication answers the question: Who are you?
Server needs to know who you are so that it can only allow you to do things that you are allowed to do.
For instance if you are logging into Gmail you are only allowed to see your own Emails.
Entering just Username is not enough because you might be lying that you are really the person behind that Username.
That is because Username (like Email) are public - other people know your Username.
So you also need to provide your Password to that you are really the person behind that Username.
This is because the Password is private - only the person that really owns this Username would now its Password.
Login Form @ http://www.gmail.com/login
S
S
e
e
s
s
s
s
i
i
o
o
n
n
C
C
o
o
o
o
k
k
i
i
e
e
Session Cookie is stored locally on User's Browser as a part of HTTP Response after successfully Authentication.
Session Cookie is used to Authenticate User during subsequent HTTP Requests.
This way User doesn't have to go through Login Form for each subsequent HTTP Request.
Instead during each subsequent HTTP Request Session Cookie is automatically sent to the Web Application in order to
Automatically Authenticate User (tell Server who made the HTTP Request).
Session Cookie is assigned to a specific URL/Domain where Web Application that sent it lives
This means that when User sends another HTTP Request to http://www.gmail.com/myemails Session Cookie assigned
to www.gmail.com is send with the HTTP Request to automatically Authenticate User into Gmail Web Application.
If User sends HTTP Request to some other URL/Domain like http://www.yahoo.com/myemails different Session
Cookie, the one assigned to www.yahoo.com is send with the HTTP Request to automatically Authenticate User into
Yahoo Web Application.
HTTP Response with a Session Cookie
POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: session=yvthwsztyeQkAPzeQ5gHgTvlyxHfsAfE
email=wiener@normal-user.com