The Web Blinders logo

Programming

Bad Cookie Practices explained on live popular website - ajagz.com

With the help of this tutorial, you can view feedbacks received by your friend / lover on ajagz.com.

Let's begin hacking. First go to ajagz.com

ajagz,ajagz.com,php security practices, javascript security practices
  • I went through the website and I understood the application flow from the below steps.
  • For security purpose, only you can see your friends writings.

    As no email / mobile / password are asked during registration and also from the above statement it is clear that a cookie or session id is being used to identify the user and display his/her feedback list.

  • After entering your name , you will get a link ,which you can share with your friends. For example :https://ajagz.com/write.php?urlId=ea349ef. Yes! It is the link to my profile , Lets hack my account
ajagz,ajagz.com,php security practices, javascript security practices
  • You can see in the above image See your Friends Feedback, You can see the list of feedbacks you received by clicking on it.
  • If you see the cookies set for that site, there will be a cookie with name write and value as profile id. In my case,it is write=ea349ef
  • Keep in mind above points and I will explain how to view the list of feedbacks a person received.I will explain this by taking my profile url as an example , so in the end you will be able to see the list of feedbacks my profile received(but it says only I can see my list.sed reacts only
  • To do this , first you need their shared link.For example(mine) : https://ajagz.com/write.php?urlId=ea349ef 
document.cookie = ' write = ea349ef ';

Replace ea349ef as per your victims urlId in this link - https://ajagz.com/write.php?urlId=ea349ef

For example : if the link is https://ajagz.com/write.php?urlId=ea233zz, then urlId = ea233zz and then set cookie as document.cookie = ' write=ea233zz ';

After setting the cookie , http://ajagz.com/written-list.php?urlId=ea349ef , copy above link and replace urlId as per your victims urlId and paste it into browsers address bar. Bingo !! You will see the list of feedbacks received by the victim.

HOW ?

The webpage is retrieving data from the database based on

  • GET parameter urlId
  • value of the cookie write

Just taking care of above two things is enough to view feedback list of a person on that site. So this article practically explains how careful you need to be while managing cookies .

if you want me to get your friends / crush / lovers feedback, Send a mail to thedineshj@gmail.com

Need developers ?

if so, send a message.

thewebblinders@gmail.com

More Programming from our blog

SEARCH FOR ARTICLES