[OWASP-WEBSCARAB] Getting cookies properties

Rogan Dawes lists at dawes.za.net
Fri Apr 21 09:26:41 EDT 2006 

chuanjiang lo wrote:
> Hi all,
> 
> I've tried writing something in beanshell.
> 
> String cookie = request.getHeader("Cookie");
> 
> This returns me the cookie name and value.
> 
> As i'm surfing the site, i'm trying to list out all the cookies that is not secure.
> 
> 
> How can i achieve that?
> 
> 
> 

Hi,

By "not secure", do you mean all the "Set-Cookie" headers that do not 
have the "secure" property set?

There are a few ways of doing this.

You may want to simply use the "Tools -> Shared Cookies" view into the 
cookies that have been set via the Proxy (assuming you have the 
Proxy->Miscellaneous->Get cookies from Responses option enabled) or 
Spider (if you have the Synchronize Cookies option enabled) plugins. The 
Shared Cookies viewer shows all the cookies that have been set, and one 
of the columns that it shows is whether the cookie had the "secure" flag 
enabled.

Alternatively, you may want to list all the conversations that had a 
"Set-Cookie" header, that were sent over an HTTPS connection, and did 
not have the "secure" flag set. You can do this in the Search plugin, 
using a script similar to:

request.getURL().toString().startsWith("https://") && 
response.getHeader("Set-Cookie").indexOf("secure") == -1

Thirdly, if you are only interested in conversations through the proxy, 
you might try something like the following in the BeanShell plugin:

public Response fetchResponse(HTTPClient nextPlugin, Request request) 
throws IOException {
    response = nextPlugin.fetchResponse(request);
    cookie = response.getHeader("Set-Cookie");
    if ( cookie != null) {
       myWriter = bsf.lookupBean("myWriter");
       if (myWriter == null) {
          // create an instance of your class
          myWriter = new FileWriter("c:/temp/cookies", "true");
          // register it so that we can get it
          // back on a later invocation of this script
          bsf.registerBean("myWriter", myWriter);
       }
       writer.write(request.getURL() + "\n");
       writer.write(cookie + "\n");
       writer.flush();
    }
    return response;
}

The above script will write the URL of any requests that have a response 
that contains a Set-Cookie header to a file. You can obviously be more 
selective about which ones you write out, e.g. testing if 
cookie.indexOf("secure") > -1, etc.

Hope this helps.

Rogan

More information about the Owasp-webscarab mailing list