Web Security : Automating with LibWWWPerl - Checking Session Expiration

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

1. Problem

You want to send expired cookies to the application to see if the server really expunges its session state at about the same time the cookies expire. You can use Perl to modify the expiration date of cookies that your application sends.

2. Solution

See Example 1.

Example 1. Perl script that modifies cookies
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;

#$myCookies = HTTP::Cookies->new(
#	file     => "cookies.txt", 
#	autosave => 1, 
#    );
$myCookies = HTTP::Cookies->new();

$URL  = "";
$UA   = LWP::UserAgent->new();
$UA->cookie_jar( $myCookies );

# Find a particular cookie from a particular domain. Add 1 week to
# it's expiration. Delete the original cookie, store the modified
# cookie in our cookie jar. Uses an external namespace ($find::) to
# get the key, path, and domain to search for. Sets $find::changed
# to indicate the number of cookies that matched and were modified.
sub addOneWeek {
	my ($version, $key, $val, $path, $domain, $port, $path_spec,
		$secure, $expires, $discard, $rest) = @_;

	if( ($domain eq $find::domain) and
		($path   eq $find::path  ) and
		($key    eq $find::key   ) )
			$expires = $expires + (3600 * 24 * 7); # seconds per week
			$myCookies->clear( $domain, $path, $key );
			$myCookies->set_cookie( $version, $key, $val, $path,
				$domain, $port, $path_spec,	$secure, $expires, $discard,
				$rest );

# Find a particular cookie from a particular domain. Uses an external
# namespace ($find::) to get the key, path, and domain to search for. Prints
# all cookies that match.
sub showCookies {
	my ($version, $key, $val, $path, $domain, $port, $path_spec,
		$secure, $expires, $discard, $rest) = @_;

	if( ($domain eq $find::domain) and
		($path   eq $find::path  ) and
		($key    eq $find::key   ) )
			print "$domain, $path, $key, $val, $expires\n";

# First fetch a web page that sends a cookie.
$req  = HTTP::Request->new( GET => $URL );
$resp = $UA->request($req);

$find::domain = "";
$find::path   = "/";
$find::key    = "session_id";

# Show any matching cookies, in their original form.
$myCookies->scan( \&showCookies );

# Find them, and bump their expiration time by a week.
$myCookies->scan( \&addOneWeek  );

# Show the cookie jar, now that we modified it.
$myCookies->scan( \&showCookies );


3. Discussion

Note that line 7 creates an empty, temporary cookie jar that we later populate.  Lines 56, 59, and 62 pass a pointer to a function in Perl. This is because the cookie jar scan() routine uses a call-back mechanism to invoke our function on each cookie in the jar—perhaps a bit inelegant.

3.1. Bad session expirations

You might use a technique like that shown in Example 8-5 to modify the cookie you’re sent after you log in. You see, some applications rely on well-behaved web browsers to discard expired cookies. Your session will expire due to inactivity at 12:44:02, so the web application sets the cookie to expire at 12:44:02. At that time the browser will throw away the cookie, so future requests will come to the server with no session information. You would be effectively logged out, because your browser threw away your session token.

What happens if the server does not discard the expired session at 12:44:02, however, but instead keeps it around until a garbage collection process runs at 1:00 p.m.? In that case your application is not working as advertised. There is a window of opportunity after the cookie expires, but before the server cleans up its state. In that time, a legitimate user would not use their cookie (their well-behaved browser will discard the expired cookie), but the server will recognize and allow it, if it is presented.

To detect such behavior, you can write a program very similar to Example 8-5. Your script would:

  1. Receive the cookie.

  2. Store the old expiration time.

  3. Modify the cookie to have a longer expiration.

  4. Go to sleep for a while. It can sleep until a little bit after the old expiration time.

  5. After waking up, issue a request for a page that would only succeed if the session cookie were still valid (at the server). That request’s success or failure tells you whether or not the application relies on cookie expiration for its session management.

Top 10
Free Mobile And Desktop Apps For Accessing Restricted Websites
TOYOTA CAMRY 2; 2.5 : Camry now more comely
KIA SORENTO 2.2CRDi : Fuel-sipping slugger
How To Setup, Password Protect & Encrypt Wireless Internet Connection
Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
Backup & Restore Game Progress From Any Game With SaveGameProgress
Generate A Facebook Timeline Cover Using A Free App
New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
- Messages forwarded by Outlook rule go nowhere
- Create and Deploy Windows 7 Image
- How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
- Creating and using an unencrypted cookie in ASP.NET
- Directories
- Poor Performance on Sharepoint 2010 Server
- SBS 2008 ~ The e-mail alias already exists...
- Public to Private IP - DNS Changes
- Send Email from Winform application
- How to create a .mdb file from ms sql server database.......
programming4us programming4us