Penetration Testing mailing list archives
Re: [PEN-TEST] altering non-persistent cookies in memory
From: Robert van der Meulen <rvdm () CISTRON NL>
Date: Wed, 17 Jan 2001 12:09:14 +0100
Hi, Quoting Hofmeyr, Michael (hofmemi () EY CO ZA):
Many companies are using non-persistent cookies to authenticate user sessions. have any of you had any experience or ideas for acessing and altering non-persistant cookies in a browsers memory? Options i have considered are using JavaScript to overwrite the cookie during the session, editing the cookie in memory with Soft Ice or something similar during the session. Or simply telnetting to port 80 of the webserver and submitting a fake cookie directly?
Just do a fake session to the webserver from any client you fancy, and change the cookie data in the request. If you're lazy, and you're running a real operating system, you can edit the cookie data in .netscape/cookies or .mozilla/default/cookies.txt, start the browser (make sure it's not running when you edit the cookies file!), pretend nothing happened, and see the response on the fake cookie. No clue where cookies in NT/'95 or other m$-ish reside, but that should be easy to find out. Another way is to use 'curl': curl -b "SessionID=Sx3c4DrD343md44sb55edXwhatever" <url> The '-D' option to 'curl' is useful to see cookies you recieve back from the webserver, '-e' can be used to spoof referers, and you can submit form data with it as well (even over SSL/otherwise encrypted connections). Greets, Robert -- Linux Generation Reality is a cop-out for people who can't handle drugs.
Current thread:
- [PEN-TEST] altering non-persistent cookies in memory Hofmeyr, Michael (Jan 16)
- Re: [PEN-TEST] altering non-persistent cookies in memory Philip Stoev (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Tom Watson (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Dzzie Z (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Thomas Reinke (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Robert van der Meulen (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Erik Peterson (Jan 17)
- Re: [PEN-TEST] altering non-persistent cookies in memory Philip Stoev (Jan 17)