Web Security : Automating with LibWWWPerl - Checking Session Expiration

1. Problem

You want to send expired cookies to the application to see if the server really expunges its session state at about the same time the cookies expire. You can use Perl to modify the expiration date of cookies that your application sends.

2. Solution

See Example 1.

Example 1. Perl script that modifies cookies

#!/usr/bin/perl use LWP::UserAgent; use HTTP::Cookies; use HTTP::Request::Common; #$myCookies = HTTP::Cookies->new( # file => "cookies.txt", # autosave => 1, # ); $myCookies = HTTP::Cookies->new(); $URL = "https://www.example.com/w/signup.php"; $UA = LWP::UserAgent->new(); $UA->cookie_jar( $myCookies ); # Find a particular cookie from a particular domain. Add 1 week to # it's expiration. Delete the original cookie, store the modified # cookie in our cookie jar. Uses an external namespace ($find::) to # get the key, path, and domain to search for. Sets $find::changed # to indicate the number of cookies that matched and were modified. sub addOneWeek { my ($version, $key, $val, $path, $domain, $port, $path_spec, $secure, $expires, $discard, $rest) = @_; if( ($domain eq $find::domain) and ($path eq $find::path ) and ($key eq $find::key ) ) { $expires = $expires + (3600 * 24 * 7); # seconds per week $myCookies->clear( $domain, $path, $key ); $myCookies->set_cookie( $version, $key, $val, $path, $domain, $port, $path_spec, $secure, $expires, $discard, $rest ); $find::changed++; } } # Find a particular cookie from a particular domain. Uses an external # namespace ($find::) to get the key, path, and domain to search for. Prints # all cookies that match. sub showCookies { my ($version, $key, $val, $path, $domain, $port, $path_spec, $secure, $expires, $discard, $rest) = @_; if( ($domain eq $find::domain) and ($path eq $find::path ) and ($key eq $find::key ) ) { print "$domain, $path, $key, $val, $expires\n"; } } # First fetch a web page that sends a cookie. $req = HTTP::Request->new( GET => $URL ); $resp = $UA->request($req); $find::domain = "example.com"; $find::path = "/"; $find::key = "session_id"; # Show any matching cookies, in their original form. $myCookies->scan( \&showCookies ); # Find them, and bump their expiration time by a week. $myCookies->scan( \&addOneWeek ); # Show the cookie jar, now that we modified it. $myCookies->scan( \&showCookies );

3. Discussion

Note that line 7 creates an empty, temporary cookie jar that we later populate.  Lines 56, 59, and 62 pass a pointer to a function in Perl. This is because the cookie jar scan() routine uses a call-back mechanism to invoke our function on each cookie in the jar—perhaps a bit inelegant.

3.1. Bad session expirations

You might use a technique like that shown in Example 8-5 to modify the cookie you’re sent after you log in. You see, some applications rely on well-behaved web browsers to discard expired cookies. Your session will expire due to inactivity at 12:44:02, so the web application sets the cookie to expire at 12:44:02. At that time the browser will throw away the cookie, so future requests will come to the server with no session information. You would be effectively logged out, because your browser threw away your session token.

What happens if the server does not discard the expired session at 12:44:02, however, but instead keeps it around until a garbage collection process runs at 1:00 p.m.? In that case your application is not working as advertised. There is a window of opportunity after the cookie expires, but before the server cleans up its state. In that time, a legitimate user would not use their cookie (their well-behaved browser will discard the expired cookie), but the server will recognize and allow it, if it is presented.

To detect such behavior, you can write a program very similar to Example 8-5. Your script would:

1. Receive the cookie.

2. Store the old expiration time.

3. Modify the cookie to have a longer expiration.

4. Go to sleep for a while. It can sleep until a little bit after the old expiration time.

5. After waking up, issue a request for a page that would only succeed if the session cookie were still valid (at the server). That request’s success or failure tells you whether or not the application relies on cookie expiration for its session management.