06 Jun, 2014

Deobfuscate Client Side Cookies

by Ken Johnson

This post provides code snippets that allow you to deobfuscate client-side cookies in Rails and Django.

In case you are unfamiliar, these frameworks have the ability to store data inside cookies and offload storage of these cookies to the user’s browser. They do this by providing multi-part cookies. One part of the cookie is the actual data (obfuscated, of course) and the other part is a hash. The values inside of the cookie along with the server-side secret (and sometimes a timestamp) are used to create a hash.

If the hash the user provides (the hash from their cookie) matches a hash generated by the server (made up of the obfuscated cookie data in the cookie + secret key and maybe a timestamp), the cookie is considered valid.

Django Session Deobfuscation - Using Pickle Serialization (NOT JSON Serialization)

Rails Session Deobfuscation

This shows us that even though the session cookies are encoded and signed, their clear text values are easily accessible. Rails and Django developers should take care to never use the session to store sensitive data as it can be easily exposed.