WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Modifing non-persistent cookies

From: Rogan Dawes <discard () dawes za net>
Date: Mon, 12 Dec 2005 08:29:57 +0200
Jason binger wrote:

I am looking for an application that can modify a
non-persistent cookies value permanently (while the
browser is open).

I am testing a web app where a UserID=Number is set in
the browser. If I change this number to another ID I
can access other users functions, but I don't want to
have to manually change it with each request using a
web proxy.

Does anyone have some other ideas?

Cheers



There are a couple of ways of doing this with WebScarab:
1) Using the shared cookies tool (Tools -> Shared Cookies), add a new cookie with the value that you want to insert. You need to set the correct domain, path, cookie name, etc. Then select the Proxy plugin, and the Miscellaneous tab, where you will see an option "Insert known cookies into requests". Check this option to configure WebScarab to insert the cookie that you just added into the requests that come in via the browser. 

2) Using the Beanshell scripting plugin.

There are two places that you can do this, it is up to you which you choose.

a) Via the Proxy->BeanShell plugin

Hit the checkbox to enable the plugin.

Write a snippet of Java code to modify the Cookie header appropriately:

e.g.

  cookie = request.getHeader("Cookie");
  cookies = cookie.split("; *");
  cookie = "";
  for (i = 0; i< cookies.length; i++) {
    nv = cookies[i].split("=", 2);
    if (nv[0].equals("yourcookiename") {
      nv[1] = "yournewvalue";
    }
    cookie = cookie + "; ";
  }
  cookie = cookie.substring(2);
  request.setHeader("Cookie", cookie);
  response = nextplugin.fetchResponse(request);
  return response;

The exact code may vary, but I hope you get the idea.

When your code is finished, hit the commit button to activate it.

b) The other method is via the Tools->ScriptManager.

Select the Proxy node, and then "Intercept Request"
As per the hints in the description box, you would need to change the code above slightly. 

Add the following line at the top:

request = connection.getRequest();

and then replace the last 2 lines with:

connection.setRequest(request);

Summary
=======
The first method is the most straightforward, but is susceptible to the server sending a new cookie to override the one you are currently using (if you also have "Extract cookies from responses" enabled)
The second (two) methods are more complicated, but also more powerful. Rather than simply replacing a cookie, you could also be doing things like calculating a digital signature of the parameters, or something equally complicated. The limit is your imagination, and your coding ability! ;-)
If you have any questions, please respond to the list, and I'll be happy to explain further. 

Rogan
(the author of WebScarab ;-) )
Previous By Date Next
Previous By Thread Next

Current thread: