WebApp Sec mailing list archives
RE: SUMMARY modify non-persistent cookies and more q's
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Thu, 19 Dec 2002 17:22:38 +0200
I have developed a perl-based http/https proxy that I call mangle. It is not particularly friendly (all inline fiddling requires some perl coding), but it is pretty powerful because of that. It also has some ancillary scripts for analysing cookies (calculates the character set, attempts to determine predictability of the cookie), and "reviewing" the HTML returned by the server for links, SCRIPT fragments, HTML comments, and possible cross site scripting. It also has a Perl-Gtk GUI to assist in reviewing/documenting the conversations between the client and the server. If you are interested, mail me and I'll bundle it all up and send it on. Mangle is based on httpush, which is also perl based. HTTPush has slightly less rigorous requirements in terms of Perl modules installed, but it also has less functionality. Your call. Neither will work on Windows, because the Perl-SSL routines do not build on a Win32 platform. Rogan -----Original Message----- From: mono toy [mailto:mono () spurious biz] Sent: 19 December 2002 04:15 PM To: webappsec@securityfocus Subject: SUMMARY modify non-persistent cookies and more q's dear list, thanks for all the replies! i'll post a brief summary now and ask some more ... modifying non-persistant cookies is definitely possible :) some ways: - proxies, proxie-like things and testing suites (@stake, achilles, websleuth, etc.): i tried achilles (somewhat unstable), @stake's is too expensive, websleuth looks very nice but haven't had time to test it yet (i rarely use win boxes) - ram editors (winhex looks very nice, expensive too though) - handcrafting (via BHO, perl http-request module, ...) - the easiest way though: "javascript: document.cookie='CookieName=CookieValue';" :) as for the proxy and ram editor things: most of these tools were either expensive, or windows-only, or both. ... can somebody recommend some good, free, opensource, linux (or os x) variant for tools like winhex or websleuth? many thanks, nico
Current thread:
- RE: SUMMARY modify non-persistent cookies and more q's Dawes, Rogan (ZA - Johannesburg) (Dec 19)
- Re: SUMMARY modify non-persistent cookies and more q's Dave Aitel (Dec 19)
- <Possible follow-ups>
- Re: SUMMARY modify non-persistent cookies and more q's Chris Wysopal (Dec 20)