Advertisement - Why am I seeing ads? Report
   
 

.ROBLOSECURITY

Sort:
Previous Thread :: Next Thread 
DannyCore is not online. DannyCore
Joined: 25 Apr 2012
Total Posts: 990
31 Dec 2012 01:59 PM
what is the value encrypted in?

don't delete this post for I am just asking a simple question that could lead me to finding some neat stuff editing cookies. hehe
Report Abuse
RenderSettings is not online. RenderSettings
Joined: 16 Aug 2010
Total Posts: 2522
31 Dec 2012 02:03 PM
I doubt that it is any plaintext encrypted, and probably more a random XOR'd session id.
Report Abuse
DannyCore is not online. DannyCore
Joined: 25 Apr 2012
Total Posts: 990
31 Dec 2012 02:10 PM
thanks and it is somewhat encrypted in XOR. when I decrypt it it comes in complete gibberish. i forgot what that word is for when the text is in random symbols.

anyway what does .ROBLOSECURITY contain in it? and is it worth it to edit some things which = fun?
Report Abuse
RenderSettings is not online. RenderSettings
Joined: 16 Aug 2010
Total Posts: 2522
31 Dec 2012 02:37 PM
I honestly doubt you decrypted it, especially since there is no way to tell if you have the correct XOR key or if it is a pass phrase instead.

And no, there is no reason. It is several hundred characters long, meaning that if you just randomly changed letters it would not even remotely work, and it only has info to link your browser to a session on the server.
Report Abuse
NVI is not online. NVI
Joined: 11 Jan 2009
Total Posts: 4673
31 Dec 2012 02:44 PM
"The SessionID property is used to uniquely identify a browser with session data on the server. The SessionID value is randomly generated by ASP.NET and stored in a non-expiring session cookie in the browser. The SessionID value is then sent in a cookie with each request to the ASP.NET application."

It's a randomly generated identifier. Editing changes nothing. Learn about sessions.
Report Abuse
Merely is online. Merely
Joined: 07 Dec 2010
Total Posts: 16809
31 Dec 2012 02:44 PM
It's encrypted server-side.
Report Abuse
NVI is not online. NVI
Joined: 11 Jan 2009
Total Posts: 4673
31 Dec 2012 02:45 PM
Although, it is perfectly possible to obtain someone else's session ID from this cookie if you have access to it. Means you'll login as them.

Connor and I have done that before, and it can be done again. There's no way to safeguard against it:

"The SessionID is sent between the server and the browser in clear text, either in a cookie or in the URL. As a result, an unwanted source could gain access to the session of another user by obtaining the SessionID value and including it in requests to the server. If you are storing private or sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the SessionID."

It's just how sessions work.
Report Abuse
stravant is not online. stravant
Forum Moderator
Joined: 22 Oct 2007
Total Posts: 2885
31 Dec 2012 03:41 PM
It isn't _even_ encrypted.

There's nothing to encrypt, it's just a number.
Report Abuse
DannyCore is not online. DannyCore
Joined: 25 Apr 2012
Total Posts: 990
31 Dec 2012 05:37 PM
but what do the numbers mean
do they just put a letter/number inbetween every word or number ID or something like A1A0A1A0 or 0H8E8L2L5O1
i just found out they can't be edited since it won't do anything but how would you go by accessing another persons account via cookies?
Report Abuse
DannyCore is not online. DannyCore
Joined: 25 Apr 2012
Total Posts: 990
31 Dec 2012 05:38 PM
and I'm doing this for the good because i want to figure out HOW to do so
Report Abuse
awsumpwner27 is not online. awsumpwner27
Joined: 03 Sep 2011
Total Posts: 4390
31 Dec 2012 05:44 PM
Is it some sort of way to identify unique users? Are all users numbered?
Report Abuse
DannyCore is not online. DannyCore
Joined: 25 Apr 2012
Total Posts: 990
31 Dec 2012 05:46 PM
everytime you go on a roblox page there is a .ROBLOSECURITY cookie that has all your login information inside it.

i'm just trying to figure out how they can log on to another users account by knowing their .ROBLOSECURITY
Report Abuse
awsumpwner27 is not online. awsumpwner27
Joined: 03 Sep 2011
Total Posts: 4390
31 Dec 2012 05:47 PM
What if you replace your .ROBLOSECURITY with theirs?
Report Abuse
DannyCore is not online. DannyCore
Joined: 25 Apr 2012
Total Posts: 990
31 Dec 2012 05:48 PM
fffffffffffffffffffffffffffffffffffffffffffffffffffffffff

i wasn't even thinking about that. i shall try it in just a bit, maybe it will work.
Report Abuse
HardDrive500GB is not online. HardDrive500GB
Joined: 21 Apr 2011
Total Posts: 82
31 Dec 2012 05:54 PM
it worked. wuuzaaaa. i'm about to try this on a friend just for fun(i'll give him back his acc)

thanks asumpwner
Report Abuse
DannyCore is not online. DannyCore
Joined: 25 Apr 2012
Total Posts: 990
31 Dec 2012 05:54 PM
omg wrong account
thatwasme
Report Abuse
Seranok is not online. Seranok
Joined: 12 Dec 2009
Total Posts: 9991
31 Dec 2012 06:01 PM
Let's clear up some misconceptions.

.ROBLOSECURITY is encrypted by the server. However, decrypting it isn't feasible client-side, so it isn't done.

Also, the fact that you can gain access to someone else's account if you have their .ROBLOSECURITY isn't a flaw. It's how cookies work. Just don't give out your cookies, ever!
Report Abuse
DannyCore is not online. DannyCore
Joined: 25 Apr 2012
Total Posts: 990
31 Dec 2012 06:09 PM
haha the way you said it "Just don't give out your *cookies*, ever!"
an't nobody taking my cookies :<

anyway are google chrome extensions or other outside applications on our computer able to see our cookies. I know applications are but what about google chrome extensions?
Report Abuse
stravant is not online. stravant
Forum Moderator
Joined: 22 Oct 2007
Total Posts: 2885
31 Dec 2012 07:20 PM
"but what do the numbers mean"

It doesn't mean anything to anyone but the server.

You can think of the server as having a big table of those numbers, and associated with each number is a value saying "XXX account is logged in", then the server will let you do things as that account.

Basically, that number is a "secret key" that your browser passes the site, much like a p4ssword. The difference from just sending your p4ssword is that with such a key, the key can change often, and be much longer than a p4ssword.
Report Abuse
DannyCore is not online. DannyCore
Joined: 25 Apr 2012
Total Posts: 990
31 Dec 2012 08:06 PM
your so smart stravant that you saved my day
Report Abuse
Seranok is not online. Seranok
Joined: 12 Dec 2009
Total Posts: 9991
31 Dec 2012 10:50 PM
> You can think of the server as having a big table of those numbers, and associated with each number is a value saying "XXX account is logged in", then the server will let you do things as that account.

That's a good guess, but wrong. When you make a request to a web page, the server decrypts your .ROBLOSECURITY cookie to determine information, such as when the cookie was created or your username.

And this is why session fixation is a problem. If .ROBLOSECURITY was merely a key in a table, it would simply be a matter of removing that particular entry whenever the user logged out.
Report Abuse
DrAgonmoray is not online. DrAgonmoray
Joined: 29 Jul 2008
Total Posts: 17403
31 Dec 2012 11:07 PM
The cookie itself has no information..
Report Abuse
MarkOtaris is not online. MarkOtaris
Joined: 28 Jan 2012
Total Posts: 18
31 Dec 2012 11:18 PM
I just realized that if you had the algorithm that converts the session number into the content of the cookie, you could actually brute-force it and not have the problem of CAPTCHAs... I mean, it'd probably be even longer than brute-forcing a pw, but you won't have the problem of CAPTCHAs or flood checkers...
Report Abuse
Seranok is not online. Seranok
Joined: 12 Dec 2009
Total Posts: 9991
31 Dec 2012 11:19 PM
Wrong. The cookie does contain information. Google "FormsAuthenticationTicket" if you don't believe me.
Report Abuse
MarkOtaris is not online. MarkOtaris
Joined: 28 Jan 2012
Total Posts: 18
31 Dec 2012 11:20 PM
"That's a good guess, but wrong. When you make a request to a web page, the server decrypts your .ROBLOSECURITY cookie to determine information, such as when the cookie was created or your username."

I doubt that. When the cookie is created is already stored in another cookie and I think it can also be provided by the web browser. As for the username, if the cookie contained only the time of creation and the username, then someone could steal any account only by having the algorithm used by ROBLOX to encrypt them...

Then, again, it would also make sense..
Report Abuse
Previous Thread :: Next Thread 
Page 1 of 3Goto to page: [1], 2, 3 Next
 
 
   
 
Advertisement Report