The next topic of interest from the HTTP protocol is cookies. As HTTP is a stateless protocol, cookies provide a way to store persistent data on the client side. This allows a web server to have session management by persisting data to the cookie for the length of the session.
Cookies are set from the web server in the HTTP response using a Set-Cookie
header. They are then sent back to the server through the Cookie
header. This recipe will look at ways to audit the cookies being set by a website to verify if they have secure attributes or not.
The following is a recipe to enumerate through each of the cookies set on a target site and flag any insecure settings that are present:
import requests req = requests.get('http://www.packtpub.com') for cookie in req.cookies: print 'Name:', cookie.name print 'Value:', cookie.value if not cookie.secure: cookie.secure = 'x1b[31mFalsex1b[39;49m' print 'Secure:', cookie.secure if 'httponly' in cookie._rest.keys(): cookie.httponly = 'True' else: cookie.httponly = 'x1b[31mFalsex1b[39;49m' print 'HTTPOnly:', cookie.httponly if cookie.domain_initial_dot: cookie.domain_initial_dot = 'x1b[31mTruex1b[39;49m' print 'Loosly defined domain:', cookie.domain_initial_dot, ' '
We enumerate each cookie sent from the web server and check their attributes. The first two attributes are the name
and value
of the cookie:
print 'Name:', cookie.name print 'Value:', cookie.value
We then check for the secure
flag on the cookie:
if not cookie.secure: cookie.secure = 'x1b[31mFalsex1b[39;49m' print 'Secure:', cookie.secure
The Secure
flag on a cookies means it is only sent over HTTPS. This is good for cookies used for authentication because it means they can't be sniffed over the wire if, for example, someone is monitoring open network traffic.
Also note that the x1b[31m
code is a special ANSI escape code used to change the color of the terminal font. Here, we've highlighted the headers that are insecure in red. The x1b[39;49m
code resets the color back to default. See the Wikipedia page on ANSI for more information at http://en.wikipedia.org/wiki/ANSI_escape_code.
The next check is for the httponly
attribute:
if 'httponly' in cookie._rest.keys(): cookie.httponly = 'True' else: cookie.httponly = 'x1b[31mFalsex1b[39;49m' print 'HTTPOnly:', cookie.httponly
If this is set to True
, it means JavaScript cannot access the contents of the cookie, and it is sent to the browser and can only be read by the browser. This is used to mitigate against XSS attempts, so when penetration testing, the lack of this cookie attribute is a good thing.
We finally check for the domain in the cookie, to see if it starts with a dot:
if cookie.domain_initial_dot: cookie.domain_initial_dot = 'x1b[31mTruex1b[39;49m' print 'Loosly defined domain:', cookie.domain_initial_dot, ' '
If the domain
attribute of the cookie starts with a dot, it indicates the cookie is used across all subdomains and therefore possibly visible beyond the intended scope.
The following screenshot shows how the insecure flags are highlighted in red for the target website:
We've previously seen how to enumerate the technologies used to serve a website by extracting the headers. Certain frameworks also store information in the cookie, for example, PHP creates a cookies called PHPSESSION , which is used to store session data. Therefore, the presence of this data indicates the use of PHP, and the server can then be enumerated further in an attempt to test it for known PHP vulnerabilities.