What protection does GMail have against cookie injection / poisoning?

[plarser48]

I'm learning about the capabilities and limitations of cookie injection within my local network. Using airmon-ng, airodump-ng, and wifizoo, I am able to passively (i.e. NON MOTM) capture the packets no problem, and view the cookies in wifizoo.

For both the victim and "hack" machine, I cleared all cookies. To test performance on different sites, on my secondary "victim" computer I visited Facebook, GMail, and UbuntuForums. In each, I logged into the websites on the victim computer and captured packets on the hack machine.

I am able to inject the cookies for both facebook and ubuntuforums no problem. But I have a real hard time with GMail. When I visit Google or mail.google.com, it asks me to login. Yet if I search, the google email address appears in the top right corner. So a cookie was injected, just not enough to access GMail (or change my settings).

So I am wondering: Am I just executing wrong? Or does GMail just have better protection against cookie poisioning? If the latter, is it due to how GMail has SSL login? Is it possible to inject cookies for GMail with just passive packet capture?

[lupin]

Can you describe the details of the cookie injection attack you are attempting? Are you actually talking about capturing cookie data from these sniffed sessions and using them in your browser to access the service as the user who owns the cookie?

If you want to know more about how the GMail authentication works Id recommend capturing the logon in an interception proxy like burp and watching the Set-cookie directive returned by the webserver to a successful login. That will let you know the domain of the cookie and whether it has properties such as "Secure" that will require transport via https.

*The standard disclaimer about not using this method to access anyone elses accounts goes here*

[plarser48]

Lupin that is exactly what I was trying for all three sites: passively capture packets using airodump and opening the .cap later and injecting into browser via wifi.

I was shocked at how simple it was to sidejack a session. And then noticed that it didn't work for gmail. So first I was curious if I was just plain doing it wrong for gmail and I messed up in a gmail sidejack attempt.

If I didn't mess up and gmail in fact provided a more secure cookie measure, I was then curious what is it exactly gmail is doing to make it more secure.

So it sounds like if i inspect via burp proxy and compare a gmail http-session with another one like facebook, I may get a better understanding. When I have a chance I'll give it a shot. (it'll be a good learning exercise!)