Penetration Testing mailing list archives

Re: [PEN-TEST] altering non-persistent cookies in memory

From: Erik Peterson <EPeterson () SANCTUMINC COM>
Date: Wed, 17 Jan 2001 21:32:19 -0500

There are some good free proxies on the market to tinker with the cookies
(Achilles from http://www.digizen-security.com comes to mind) Of course
there is always Perl which can be very handy.

There is also one commercial product on the market that will let you modify
cookies, actually let you modify anything (automatically or manually) in any
web application, and will automatically perform penn testing on the web
application itself (and you do not need to be a uber hacker to use the
tool). The product is called AppScan and it's made by Sanctum
(http://www.sanctuminc.com)

DISCLAIMER: I am a security engineer for this company but I keep seeing
requests for web application penetration tools and I feel I need to speak
up. If your are personally interested in more information, or if the group
would like a more detailed description I would be happy to give it. It's
painful sometimes working for a security company because it's damn hard to
sound objective whenever someone asks you a question. I don't know why, we
saw a problem, built a solution and we think it does a good job. Why not
suggest it? But I'll leave that to you, send me a message if your interested
in the details behind AppScan, or go to the web site and have a look for
yourself.

If other security software vendors want to grab a few beers and sob together
about our "objectivity dilemma" I'm up for that too. ;)

Take care,

Erik

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Hofmeyr, Michael
Sent: Wednesday, January 17, 2001 1:16 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] altering non-persistent cookies in memory


Hi all,

Many companies are using non-persistent cookies to authenticate
user sessions. have any of you had any experience or ideas for acessing
and altering non-persistant cookies in a browsers memory? Options i have
considered are using JavaScript to overwrite the cookie during the session,
editing
the cookie in memory with Soft Ice or something similar during the session.
Or
simply telnetting to port 80 of the webserver and submitting a fake cookie
directly?

Any comments/ideas would be welcome.

Rgds

Michael Hofmeyr



______________________________________________________________________
 Ernst & Young South Africa - http://www.ey.com/southafrica

     WARNING:  this e-mail contains confidential information and any
     unauthorised use or interception is illegal.
     If this e-mail is not intended for you, you may not copy, distribute
     or disclose the contents to anyone nor
     take any action in reliance on the content.  If you receive this in
     error, please contact the sender and
     delete the material from any computer.

Current thread:

[PEN-TEST] altering non-persistent cookies in memory Hofmeyr, Michael (Jan 16)
- Re: [PEN-TEST] altering non-persistent cookies in memory Philip Stoev (Jan 17)
  - Re: [PEN-TEST] altering non-persistent cookies in memory Tom Watson (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Dzzie Z (Jan 17)
  - Re: [PEN-TEST] altering non-persistent cookies in memory Thomas Reinke (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Robert van der Meulen (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Erik Peterson (Jan 17)