RE: SUMMARY modify non-persistent cookies and more q's

I have developed a perl-based http/https proxy that I call mangle. It is not particularly friendly (all inline fiddling requires some perl coding), but it is pretty powerful because of that.

It also has some ancillary scripts for analysing cookies (calculates the character set, attempts to determine predictability of the cookie), and "reviewing" the HTML returned by the server for links, SCRIPT fragments, HTML comments, and possible cross site scripting.

It also has a Perl-Gtk GUI to assist in reviewing/documenting the conversations between the client and the server.

If you are interested, mail me and I'll bundle it all up and send it on.

Mangle is based on httpush, which is also perl based. HTTPush has slightly less rigorous requirements in terms of Perl modules installed, but it also has less functionality. Your call. Neither will work on Windows, because the Perl-SSL routines do not build on a Win32 platform.

Rogan

-----Original Message-----
From: mono toy [mailto:mono@spurious.biz] Sent: 19 December 2002 04:15 PM
To: webappsec@securityfocus
Subject: SUMMARY modify non-persistent cookies and more q's

dear list,

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

thanks for all the replies! i'll post a brief summary now and ask some more ...

modifying non-persistant cookies is definitely possible :) some ways:

• proxies, proxie-like things and testing suites (@stake, achilles, websleuth, etc.): i tried achilles (somewhat unstable), @stake's is too expensive, websleuth looks very nice but haven't had time to test it yet (i rarely use win boxes)
• ram editors (winhex looks very nice, expensive too though)
• handcrafting (via BHO, perl http-request module, ...)
• the easiest way though: "javascript: document.cookie='CookieName=CookieValue';" :)

as for the proxy and ram editor things: most of these tools were either expensive, or windows-only, or both. ... can somebody recommend some good, free, opensource, linux (or os x) variant for tools like winhex or websleuth?

many thanks,

nico Received on Thu Dec 19 10:26:26 2002