RE: modify non-persistent cookies

["Chris Neppes" <cneppes () port80software com>]

In IIS, you can disable the ASP session state so that the session cookie
id is masked
(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q244465).

If you want to further mask any session cookie on an IIS box, try
ServerMask (www.servermask.com).

Best,
Chris

    ::::::::::     ::::::::::

Chris Neppes 
Port80 Software, Inc. 
www.port80software.com  

5252 Balboa Ave., Ste. 605 
San Diego, CA 92117 
cneppes () port80software com
858.268.7960 voice
619.606.2860 cell 
858.268.7760 fax

Web server modules for Microsoft IIS.
security. performance. user experience.



-----Original Message-----
From: Glyn [mailto:glyng () bigfoot com] 
Sent: Tuesday, December 17, 2002 8:08 AM
To: mono () spurious biz; webappsec () securityfocus com
Subject: RE: modify non-persistent cookies

Hi,

Using application assessment proxy tools like Achilles, WebProxy or
Odysseus you can intercept in and outbound headers and data.  

You can therefore either modify the cookie on the way in (so your
version of the cookie is held by the browser); or the way out
(substituting your data for the cookie).

Regards,
G.

www.wastelands.gen.nz/odysseus
www.packetstormsecurity.com/filedesc/achilles-0-27.zip.html
www.atstake.com/research/tools

> -----Original Message-----
> From: mono toy [mailto:mono () spurious biz] 
> Sent: 17 December 2002 10:56
> To: Webappsec@Securityfocus. Com
> Subject: modify non-persistent cookies
>
>
> dear list,
>
> is there a way to modify the contents of a non-persistent 
> cookie one receives?
>
> thanks!
>
> nico
>
> [ Chief Financial Officer ]
> [ cfo () spurious biz ]
> [ smells like napalm, tastes like chicken! ]
> [ 55B4 B4B6 B2EC B612 6A35  1535 C7E9 0534 7C69 25DF ]