Cookie injection principle and utilization (cookie relay injection)

One: The principle of Cookie injection

Let's look at what happens when cookies are injected! If you have studied ASP
You should know Request.QueryString (get) or Request.Form (POST)!
Oh, yes, that's what we use to read the value in the specified key that the user sends to the Web server!
We sometimes write in order to simplify the code
Id= Request ("ID")
This is a simple way of writing, but the problem is coming ~ ~ ~
Let's look at how the Web service reads the data, he is to take the data in the get, no more data in the post, but also to fetch the data in the cookies (Halo, the book did not say so, this is and small high communication just know ~ ~ seems to say the book is not full ~ ~)

Let's take a look at the anti-injection system, and he will detect the data in get and post, if there are special characters (of course, the character is injected)!
Prohibit the submission of data! But he did not test cookies for data. The problem is here ~ ~ ~
So how do we test if there's a problem with cookies?

Please look at the connection below (for example, so the connection is not true)

Http://www.xxx.com/1.asp?id=123

If we only lose http://www.xxx.com/1.asp

, you can't see the normal data because there are no parameters!
We would like to know if there is a problem with cookies (that is, there are no request ("XXX") format questions),
First with IE input
Http://www.xxx.com/1.asp
Loading Web page, showing abnormal (reason for no input parameters)
Then enter in IE input box
Javascript:alert (document.cookie= "id=" +escape ("123"));
Press Enter and you will see a pop-up dialog box content is: id=123
After you refresh a page, if the display is normal, the representation is used
Request ("ID") this format collects data ~ ~ ~, this format can test the cookies into

Enter in the input box
Javascript:alert (document.cookie= "id=" +escape ("123 and 3=3"));
Refresh the page, if the display is normal, you can try the next step (if not normal, it may also have filtered)

Javascript:alert (document.cookie= "id=" +escape ("123 and 3=4")); Refresh the page
If the abnormal display, this means that there are injected ~ ~ ~

If the programmer is using
Request.QueryString
Or
Request.Form
Collecting data, it is not possible to use cookies to bypass the injection system to inject, because the service program is straightforward from Get or post to read the data, cookies have data, the Web server is ignored, so it can not be used. ~

--------------------------------------------------------------------------
For the convenience of friends who do not know
Javascript:alert (document.cookie= "id=" +escape ("123"));
I mean, I'll explain.
Document.cookie= "id=" +escape ("123") is to save 123 to the ID of the cookie.

Alert (XXX) is the Bomb dialog box

II: Use (Cookie relay injection)

Online there is a detailed explanation: Cookie Relay injection principle of transfer

Confirm that there is a cookie injection, the use of transit injection to generate files, you can use the "Ah D injection Tool" and other automated injection tools to test this file