From: Rogan Dawes (discarddawes.za.net)
Date: Mon Dec 12 2005 - 00:29:57 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jason binger wrote:
> I am looking for an application that can modify a
> non-persistent cookies value permanently (while the
> browser is open).
>
> I am testing a web app where a UserID=Number is set in
> the browser. If I change this number to another ID I
> can access other users functions, but I don't want to
> have to manually change it with each request using a
> web proxy.
>
> Does anyone have some other ideas?
>
> Cheers
>

There are a couple of ways of doing this with WebScarab:

1) Using the shared cookies tool (Tools -> Shared Cookies), add a new
cookie with the value that you want to insert. You need to set the
correct domain, path, cookie name, etc. Then select the Proxy plugin,
and the Miscellaneous tab, where you will see an option "Insert known
cookies into requests". Check this option to configure WebScarab to
insert the cookie that you just added into the requests that come in via
the browser.

2) Using the Beanshell scripting plugin.

There are two places that you can do this, it is up to you which you choose.

a) Via the Proxy->BeanShell plugin

Hit the checkbox to enable the plugin.

Write a snippet of Java code to modify the Cookie header appropriately:

e.g.

   cookie = request.getHeader("Cookie");
   cookies = cookie.split("; *");
   cookie = "";
   for (i = 0; i< cookies.length; i++) {
     nv = cookies[i].split("=", 2);
     if (nv[0].equals("yourcookiename") {
       nv[1] = "yournewvalue";
     }
     cookie = cookie + "; ";
   }
   cookie = cookie.substring(2);
   request.setHeader("Cookie", cookie);
   response = nextplugin.fetchResponse(request);
   return response;

The exact code may vary, but I hope you get the idea.

When your code is finished, hit the commit button to activate it.

b) The other method is via the Tools->ScriptManager.

Select the Proxy node, and then "Intercept Request"

As per the hints in the description box, you would need to change the
code above slightly.

Add the following line at the top:

request = connection.getRequest();

and then replace the last 2 lines with:

connection.setRequest(request);

Summary
=======

The first method is the most straightforward, but is susceptible to the
server sending a new cookie to override the one you are currently using
(if you also have "Extract cookies from responses" enabled)

The second (two) methods are more complicated, but also more powerful.
Rather than simply replacing a cookie, you could also be doing things
like calculating a digital signature of the parameters, or something
equally complicated. The limit is your imagination, and your coding
ability! ;-)

If you have any questions, please respond to the list, and I'll be happy
to explain further.

Rogan
(the author of WebScarab ;-) )

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]