Last active
March 1, 2017 09:51
-
-
Save 0x9090/cb1e3b20f65c0919313d770d269f2486 to your computer and use it in GitHub Desktop.
structured cookie testing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - clear your browsers cache, delete everyting (this will log you out) | |
| - visit the page with the fresh reseted browser and see what cookie you get when you visit page first time (without being logged in) | |
| - save this cookie for later | |
| - now browse the site while beeing NOT logged in, see if and how the cookie changes | |
| - after collecting all data that not involves a session, go and log in | |
| - save this cookie, now compare with the cookie you gathered at first visit | |
| - check what fields have changed, those that stayed same will move down on the list as second choice for alter testing | |
| - any value that has changed, or any parameter that was beeing added, is now to be investigated | |
| - now try changing values, start with the IP and useragent field first | |
| - see if it logs you out after changing your useragent | |
| - if so, then you know that this is involved in your current session as auth factor | |
| - do the same with the IP field | |
| - for numeric values, try to fuzz around or confuse the interpreter, by: | |
| >> trying different numbers | |
| >> trying highest possible number, see what happens if you exceed this | |
| >> try negative numbers like -123 | |
| >> try fuzzing with closing and re-opening { }, or () to see if you can introduce new fields, etc. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment