WebApp Sec mailing list archives

RE: SUMMARY modify non-persistent cookies and more q's

From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Thu, 19 Dec 2002 17:22:38 +0200

I have developed a perl-based http/https proxy that I call mangle. It is not
particularly friendly (all inline fiddling requires some perl coding), but
it is pretty powerful because of that.

It also has some ancillary scripts for analysing cookies (calculates the
character set, attempts to determine predictability of the cookie), and
"reviewing" the HTML returned by the server for links, SCRIPT fragments,
HTML comments, and possible cross site scripting.

It also has a Perl-Gtk GUI to assist in reviewing/documenting the
conversations between the client and the server.

If you are interested, mail me and I'll bundle it all up and send it on.

Mangle is based on httpush, which is also perl based. HTTPush has slightly
less rigorous requirements in terms of Perl modules installed, but it also
has less functionality. Your call. Neither will work on Windows, because the
Perl-SSL routines do not build on a Win32 platform.

Rogan

-----Original Message-----
From: mono toy [mailto:mono () spurious biz] 
Sent: 19 December 2002 04:15 PM
To: webappsec@securityfocus
Subject: SUMMARY modify non-persistent cookies and more q's


dear list,

thanks for all the replies! i'll post a brief summary now and ask some
more ...

modifying non-persistant cookies is definitely possible :) some ways:

- proxies, proxie-like things and testing suites (@stake, achilles,
websleuth, etc.):
i tried achilles (somewhat unstable), @stake's is too expensive, websleuth
looks very nice but haven't had time to test it yet (i rarely use win
boxes)
- ram editors (winhex looks very nice, expensive too though)
- handcrafting (via BHO, perl http-request module, ...)
- the easiest way though: "javascript:
document.cookie='CookieName=CookieValue';" :)

as for the proxy and ram editor things: most of these tools were either
expensive, or windows-only, or both. ... can somebody recommend some good,
free, opensource, linux (or os x) variant for tools like winhex or
websleuth?

many thanks,

nico

Current thread:

RE: SUMMARY modify non-persistent cookies and more q's Dawes, Rogan (ZA - Johannesburg) (Dec 19)
- Re: SUMMARY modify non-persistent cookies and more q's Dave Aitel (Dec 19)
- <Possible follow-ups>
- Re: SUMMARY modify non-persistent cookies and more q's Chris Wysopal (Dec 20)