websites – How to steal cookies by sending a link

websites – How to steal cookies by sending a link – Information Security Stack Exchange

security token service – How to get past the X-MSDAVEXT_Error=917656 issue when obtaining sharepoint online cookies?

I’m getting an issue basically described perfectly here: https://www.undocumented-features.com/2019/12/02/resolved-sharepoint-online-web-site-does-not-support-sharepoint-online-credentials/

To authenticate, I am using the binary security token form of authentication. When I attempt to obtain the SPOIDCRL cookie from SharePoint I get spit back:

"Authorization: BPOSIDCRL t=Ew.....jiwC&p=(r)(n)"
 "Host: mytenant.sharepoint.com(r)(n)"
 "Connection: Keep-Alive(r)(n)"
 "User-Agent: Apache-HttpClient/4.5.6 (Java/1.8.0_171)(r)(n)"
 "Accept-Encoding: gzip,deflate(r)(n)"
 "(r)(n)"
 "HTTP/1.1 401 Unauthorized(r)(n)"
 "Cache-Control: private(r)(n)"
 "Content-Type: text/plain; charset=utf-8(r)(n)"
 "P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"(r)(n)"
 "X-SharePointHealthScore: 1(r)(n)"
 "X-AspNet-Version: 4.0.30319(r)(n)"
 "SPRequestGuid: 78...d09(r)(n)"
 "request-id: 783...09(r)(n)"
 "MS-CV: n8Q...Q.0(r)(n)"
 "Strict-Transport-Security: max-age=31536000(r)(n)"
 "X-FRAME-OPTIONS: SAMEORIGIN(r)(n)"
 "X-MSDAVEXT_Error: 917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically.(r)(n)"
 "SPRequestDuration: 18(r)(n)"
 "SPIisLatency: 1(r)(n)"
 "X-Powered-By: ASP.NET(r)(n)"
 "MicrosoftSharePointTeamServices: 16.0.0.21221(r)(n)"
 "X-Content-Type-Options: nosniff(r)(n)"
 "X-MS-InvokeApp: 1; RequireReadOnly(r)(n)"
 "X-MSEdge-Ref: Ref A: 8B389A9AB7E14D9C8D5EBE533C51FB1D Ref B: BLUEDGE1221 Ref C: 2021-05-03T08:49:05Z(r)(n)"
 "Date: Mon, 03 May 2021 08:49:04 GMT(r)(n)"
 "Content-Length: 0(r)(n)"
 "(r)(n)"

The link above says to go in and check some settings to allow apps that use older methods of authentication. I cannot change that setting.

Is there some other, newer way to obtain SPOICRL cookies other than the old binary security token method?

Will making HTTP cookies unique to a given website make cookies aligned with the strictest privacy guidelines?

As far as I know, the only privacy problem with cookies is that in general, the owners of website Y could read what a visitor has searched for or had done in website X.

The privacy problem with cookies is that they can be used to track a user over multiple sites and specific web pages. And based on these information a profile can be created about the interests of the user – which allow targeted ads and similar.

… so other websites won’t be able to access it

Other websites cannot access the cookies or a site. Its the cookies these web sites itself set, i.e. cookies from Facebook when a like button is included in any page, cookies from Google if Google Analytics is used in a page etc.

This also means that your approach of unique cookies will not help, since it does not addresses the actual problem.

mod rewrite – Verify 2 cookies with mod_rewrite before serving images

I have the following mod_rewrite rule, which works fine in my Apache 2.x on CentOS 6 Linux machine, but it is not complete:

RewriteCond %{HTTP_COOKIE} !id
RewriteCond %{REQUEST_URI} ^/sites/default/files/pictures/picture-
RewriteRule .* /images/dummy.png (L)

because I’m trying to change it in 2 ways:

  1. Actually 2 cookies (and not just 1 as above) should be present: id and auth (but I don’t know, how to do (X or Y) and Z with mod_rewrite)

  2. I’d like to verify that the value of the auth cookie is a 32 hex chars string (an MD5 hash) and that the value of id cookie is numeric.

The background is that I’ve gotten a bill for EUR 1000,- from Getty
Images, because one of the Drupal users on my server has supposedly used their picture as an avatar. I’m not looking for any lawyer or pseudo-lawyer advice here, just for the way to display a dummy image instead of real user pictures to web crawlers.

And yes, I’ve noticed in the mod_rewrite doc, that I could pass the cookie values to an external script through mod_rewrite (for verifying the MD5 hash), but I’d like to tackle this later.

UPDATE 2:

I’ve come up with the following

RewriteCond %{REQUEST_URI} ^/sites/default/files/pictures/picture-
RewriteCond %{HTTP_COOKIE} !auth=(a-fA-F0-9){32} (OR)
RewriteCond %{HTTP_COOKIE} !id=(0-9)+
RewriteRule .* /images/dummy.png (L)

but I’m not sure, if the above RewriteCond‘s act as X and (Y or Z) or (X and Y) or Z

Was youtube-nocookie.com always serving cookies or did it start recently? Is it a scam?

I’ve been using Youtube embeds in enhanced privacy mode by

chang(ing) the domain for the embed URL in your HTML from https://www.youtube.com to https://www.youtube-nocookie.com

I remember checking via DevTools (Application/Storage tab) that no cookie was actually set.

A customer just notified me that they did find cookies set by the domain .youtube-nocookie.com — weirdly, something about “consent pending”, which does not change when I click play, as other sources state.
They have also alerted me to some shenanigans in Local Storage, namely an item with the key yt-remote-device-id, which has a UUID and an expiration date 10 years in the future.

I have always suspected that Enhanced Privacy Mode is somewhat of a exaggeration, but this seems to defeat the purpose almost entirely. And it makes youtube-nocookie practically useless w.r.t. a less painful GDPR-compliant user experience.

Is this a recent change? Is there any documentation or changelog on that?

magento 2.4.2 updated get The store will not work correctly in the case when cookies are disabled

When I upgraded my webiste from M2.3.5 to M2.4.2, I get this notice “The store will not work correctly in the case when cookies are disabled.” on top of head frontend for 3 seconds. But I installed a new M2.4.2 have not get that notice(Cookie Restriction Mode = No) . I found div id named “cookie status” The store will not work correctly in the case when cookies are disabled. but I can’t find which file can control this. I don’t need the notice display, so how to do that? Thanks

enter image description here

enter image description here

enter image description here

security – Best Practice Angular HTTPOnly Cookies and RoleGuards

I want to improve my security of my web-applications and started to look for actual security concepts for Angular >= 10.

So I came over HTTPOnly cookies, which seemed to be state-of-the art. Since now, I only worked with “Standard” JWT tokens and extracted the props e.g. iat, exp and my data from the jwt and built related guards based on it.

But if I understood it correct as stated here HTTP Only Stackoverflow Question the cookie can not be accessed on the client side.

So my question to you is:

How can I build up a role based guard on the client side, without accessing the cookie and not duplicating the effort to still send the jwt-token via the request header.

Thanks a lot in advance for your comments!
Best regards
Ragitagha

How do you exclude yourself from Google Analytics on your website using cookies?

I’m trying to set up an exclusion filter with a browser cookie, so that my own visits to my don’t show up in my Google Analytics. I tried 3 different methods and none of them have worked so far. I would like help understanding what I am doing wrong and how I can fix this.

Method 1
First, I tried following Google’s instructions, http://www.google.com/support/analytics/bin/answer.py?hl=en&answer=55481, for excluding traffic by Cookie Content:

Create a new page on your domain,
containing the following code:

<body onLoad="javascript:pageTracker._setVar('test_value');">

Method 2
Next, when that didn’t work, I googled around and found this Google thread, http://www.google.com/support/forum/p/Google%20Analytics/thread?tid=4741f1499823fcd5&hl=en, where the most popular answer says to use a slightly different code:

SHS Analytics wrote:

 <body onLoad="javascript:_gaq.push(('_setVar','test_value'));">

Thank you! This has now set a __utmv cookie containing “test_value”,
whereas the original:

 pageTracker._setVar('test_value')

(which Google is still recommending)
did not manage to do that for me (in
Mac Safari 5 and Firefox 3.6.8).

So I tried this code, but it didn’t work for me.

Method 3
Finally, I searched StackOverflow and came across this thread, https://stackoverflow.com/questions/3495270/exclude-my-traffic-from-google-analytics-using-cookie-with-subdomain, which suggests that the following code might work:

 <script type="text/javascript">
    var _gaq = _gaq || ();
    _gaq.push(('_setVar', 'exclude_me'));
    _gaq.push(('_setAccount', 'UA-xxxxxxxx-x'));
    _gaq.push(('_trackPageview'));
 // etc...
 </script>

This script appeared in the head element in the example, instead of in the onload event of the body like in the previous 2 examples. So I tried this too, but still had no luck with trying to exclude myself from Google Analytics.

Re-iterate question
So, I tried all 3 methods above with no success. Am I doing something wrong? How can I exclude myself from my Google Analytics using an exclusion cookie for my browser?

Update
I’ve been testing this for several days now, and I’ve confirmed that the 2nd method of excluding yourself from tracking does indeed work. The problem was that the filter settings weren’t properly applied to my profile, which has been corrected. See the accepted answer below.

Nginx mirror request to different upstream and set cookies

So the basic idea is that I want to have nginx cache the upstream for all those benefits, but I also want it to mirror the requests to a specific route in the upstream (/api) which handles some analytics processing. That part I got working so far:

server {
  location / {
    mirror /api;
    proxy_cache my_cache;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    proxy_cache_revalidate on;
    proxy_pass http://upstream:3000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_ignore_headers Cache-Control;
    proxy_cache_valid any 30m;
  }
  location /api {
    internal;
    proxy_pass http://upstream:3000/api;
  }
}

I’ve verified that the upstream’s /api is getting all the requests and setting a cookie if it can’t see it in the request. Woo! But there is one problem. The upstream logic checks for a uuid cookie and if it doesn’t find one, makes a uuid and sets that cookie. How do I get nginx to set that cookie that the upstream sets?

I’m using the default nginx:1.19.10 docker image for this (in a docker-compose, so upstream is the hostname of another service)

Who likes cookies? | Forum Promotion

DreamProxies - Cheapest USA Elite Private Proxies 100 Private Proxies 200 Private Proxies 400 Private Proxies 1000 Private Proxies 2000 Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive Proxies-free.com New Proxy Lists Every Day Proxies123