[OWASP-WEBSCARAB] Re: Modifing non-persistent cookies

Rogan Dawes discard at dawes.za.net
Mon Dec 12 01:29:57 EST 2005 

Jason binger wrote:
> I am looking for an application that can modify a
> non-persistent cookies value permanently (while the
> browser is open).
> 
> I am testing a web app where a UserID=Number is set in
> the browser. If I change this number to another ID I
> can access other users functions, but I don't want to
> have to manually change it with each request using a
> web proxy.
> 
> Does anyone have some other ideas?
> 
> Cheers
> 

There are a couple of ways of doing this with WebScarab:

1) Using the shared cookies tool (Tools -> Shared Cookies), add a new 
cookie with the value that you want to insert. You need to set the 
correct domain, path, cookie name, etc. Then select the Proxy plugin, 
and the Miscellaneous tab, where you will see an option "Insert known 
cookies into requests". Check this option to configure WebScarab to 
insert the cookie that you just added into the requests that come in via 
the browser.

2) Using the Beanshell scripting plugin.

There are two places that you can do this, it is up to you which you choose.

a) Via the Proxy->BeanShell plugin

Hit the checkbox to enable the plugin.

Write a snippet of Java code to modify the Cookie header appropriately:

e.g.

   cookie = request.getHeader("Cookie");
   cookies = cookie.split("; *");
   cookie = "";
   for (i = 0; i< cookies.length; i++) {
     nv = cookies[i].split("=", 2);
     if (nv[0].equals("yourcookiename") {
       nv[1] = "yournewvalue";
     }
     cookie = cookie + "; ";
   }
   cookie = cookie.substring(2);
   request.setHeader("Cookie", cookie);
   response = nextplugin.fetchResponse(request);
   return response;

The exact code may vary, but I hope you get the idea.

When your code is finished, hit the commit button to activate it.

b) The other method is via the Tools->ScriptManager.

Select the Proxy node, and then "Intercept Request"

As per the hints in the description box, you would need to change the 
code above slightly.

Add the following line at the top:

request = connection.getRequest();

and then replace the last 2 lines with:

connection.setRequest(request);

Summary
=======

The first method is the most straightforward, but is susceptible to the 
server sending a new cookie to override the one you are currently using 
(if you also have "Extract cookies from responses" enabled)

The second (two) methods are more complicated, but also more powerful. 
Rather than simply replacing a cookie, you could also be doing things 
like calculating a digital signature of the parameters, or something 
equally complicated. The limit is your imagination, and your coding 
ability! ;-)

If you have any questions, please respond to the list, and I'll be happy 
to explain further.

Rogan
(the author of WebScarab ;-) )

More information about the Owasp-webscarab mailing list