WebApp Sec mailing list archives
Re: SUMMARY modify non-persistent cookies and more q's
From: Dave Aitel <dave () immunitysec com>
Date: Thu, 19 Dec 2002 10:25:50 -0500
Try SPIKE Proxy. It's free, Open Source, Python, works on both Windows and Unix, and does practically everything, including support VulnXML, form brute forcing, etc. It also gives you a nice interface to rewrite cookies. With a little Python work you can customize it to whatever you are trying to do, if it doesn't fit your EXACT needs. http://www.immunitysec.com/spike.html Dave Aitel Immunity, Inc. On Thu, 19 Dec 2002 17:22:38 +0200 "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za> wrote:
I have developed a perl-based http/https proxy that I call mangle. It is not particularly friendly (all inline fiddling requires some perl coding), but it is pretty powerful because of that. It also has some ancillary scripts for analysing cookies (calculates the character set, attempts to determine predictability of the cookie), and"reviewing" the HTML returned by the server for links, SCRIPT fragments, HTML comments, and possible cross site scripting. It also has a Perl-Gtk GUI to assist in reviewing/documenting the conversations between the client and the server. If you are interested, mail me and I'll bundle it all up and send it on. Mangle is based on httpush, which is also perl based. HTTPush has slightly less rigorous requirements in terms of Perl modules installed, but it also has less functionality. Your call. Neither will work on Windows, because the Perl-SSL routines do not build on a Win32 platform. Rogan -----Original Message----- From: mono toy [mailto:mono () spurious biz] Sent: 19 December 2002 04:15 PM To: webappsec@securityfocus Subject: SUMMARY modify non-persistent cookies and more q's dear list, thanks for all the replies! i'll post a brief summary now and ask some more ... modifying non-persistant cookies is definitely possible :) some ways: - proxies, proxie-like things and testing suites (@stake, achilles, websleuth, etc.): i tried achilles (somewhat unstable), @stake's is too expensive, websleuth looks very nice but haven't had time to test it yet (i rarely use win boxes) - ram editors (winhex looks very nice, expensive too though) - handcrafting (via BHO, perl http-request module, ...) - the easiest way though: "javascript: document.cookie='CookieName=CookieValue';" :) as for the proxy and ram editor things: most of these tools were either expensive, or windows-only, or both. ... can somebody recommend some good, free, opensource, linux (or os x) variant for tools like winhex or websleuth? many thanks, nico
Current thread:
- RE: SUMMARY modify non-persistent cookies and more q's Dawes, Rogan (ZA - Johannesburg) (Dec 19)
- Re: SUMMARY modify non-persistent cookies and more q's Dave Aitel (Dec 19)
- <Possible follow-ups>
- Re: SUMMARY modify non-persistent cookies and more q's Chris Wysopal (Dec 20)