Penetration Testing mailing list archives
Re: [PEN-TEST] altering non-persistent cookies in memory
From: Erik Peterson <EPeterson () SANCTUMINC COM>
Date: Wed, 17 Jan 2001 21:32:19 -0500
There are some good free proxies on the market to tinker with the cookies (Achilles from http://www.digizen-security.com comes to mind) Of course there is always Perl which can be very handy. There is also one commercial product on the market that will let you modify cookies, actually let you modify anything (automatically or manually) in any web application, and will automatically perform penn testing on the web application itself (and you do not need to be a uber hacker to use the tool). The product is called AppScan and it's made by Sanctum (http://www.sanctuminc.com) DISCLAIMER: I am a security engineer for this company but I keep seeing requests for web application penetration tools and I feel I need to speak up. If your are personally interested in more information, or if the group would like a more detailed description I would be happy to give it. It's painful sometimes working for a security company because it's damn hard to sound objective whenever someone asks you a question. I don't know why, we saw a problem, built a solution and we think it does a good job. Why not suggest it? But I'll leave that to you, send me a message if your interested in the details behind AppScan, or go to the web site and have a look for yourself. If other security software vendors want to grab a few beers and sob together about our "objectivity dilemma" I'm up for that too. ;) Take care, Erik -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Hofmeyr, Michael Sent: Wednesday, January 17, 2001 1:16 AM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] altering non-persistent cookies in memory Hi all, Many companies are using non-persistent cookies to authenticate user sessions. have any of you had any experience or ideas for acessing and altering non-persistant cookies in a browsers memory? Options i have considered are using JavaScript to overwrite the cookie during the session, editing the cookie in memory with Soft Ice or something similar during the session. Or simply telnetting to port 80 of the webserver and submitting a fake cookie directly? Any comments/ideas would be welcome. Rgds Michael Hofmeyr ______________________________________________________________________ Ernst & Young South Africa - http://www.ey.com/southafrica WARNING: this e-mail contains confidential information and any unauthorised use or interception is illegal. If this e-mail is not intended for you, you may not copy, distribute or disclose the contents to anyone nor take any action in reliance on the content. If you receive this in error, please contact the sender and delete the material from any computer.
Current thread:
- [PEN-TEST] altering non-persistent cookies in memory Hofmeyr, Michael (Jan 16)
- Re: [PEN-TEST] altering non-persistent cookies in memory Philip Stoev (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Tom Watson (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Dzzie Z (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Thomas Reinke (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Robert van der Meulen (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Erik Peterson (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Philip Stoev (Jan 17)