Cookie Security Research
37 views
Skip to first unread message
Xris
Feb 20, 2012, 10:11:27 AM2/20/12
to http-archive-...@googlegroups.com
Hi,
I would like to do some research how webpages handle security of the cookies.
I've consider to use Striptize/Greesemonkey and JavaScript and DOM to store all necesary variables in localStorage/globalStorage that browser could track how the session id and other variables are changing while the website is browsed to alert user in case of dramatical change.
I found some cookie settings are not accesable with DOM because of DOM XSS and others.
Then I found HAR project :)
I've read description and it seems to cover most of my needs.
Could you give me some suggestions how to solve the case and avoid silly mistakes while developing solution with your tools?
Thank you very much in advace for any help.
Kris
I would like to do some research how webpages handle security of the cookies.
I've consider to use Striptize/Greesemonkey and JavaScript and DOM to store all necesary variables in localStorage/globalStorage that browser could track how the session id and other variables are changing while the website is browsed to alert user in case of dramatical change.
I found some cookie settings are not accesable with DOM because of DOM XSS and others.
Then I found HAR project :)
I've read description and it seems to cover most of my needs.
Could you give me some suggestions how to solve the case and avoid silly mistakes while developing solution with your tools?
Thank you very much in advace for any help.
Kris
Jan Honza Odvarko
Feb 23, 2012, 8:19:53 AM2/23/12
to http-archive-...@googlegroups.com
HAR (HTTP Archive) is a data format spec that is used by HTTP tracking tools when exporting collected data. This format has also fields for Cookies.
So, HAR itself is not a tool.
You could perhaps use various tools adapting HAR (see list of such tools here: http://www.softwareishard.com/blog/har-adopters/), use all exported har files and do some additional analysis...
As far as Firefox is concerned you could be interested in these extensions
http://www.softwareishard.com/blog/firecookie/
https://addons.mozilla.org/en-US/firefox/addon/cookie-collector/?src=search
http://www.toolness.com/wp/2011/07/collusion/
Honza
So, HAR itself is not a tool.
You could perhaps use various tools adapting HAR (see list of such tools here: http://www.softwareishard.com/blog/har-adopters/), use all exported har files and do some additional analysis...
As far as Firefox is concerned you could be interested in these extensions
http://www.softwareishard.com/blog/firecookie/
https://addons.mozilla.org/en-US/firefox/addon/cookie-collector/?src=search
http://www.toolness.com/wp/2011/07/collusion/
Honza
Xris
Feb 28, 2012, 4:27:57 AM2/28/12
to HTTP Archive Specification
Hi Honza,
I'm aware HAR is not strictly a tool but looks it will be very useful
in my case.
Thank you for the explanation & links :)
Regards
Kris
> As far as Firefox is concerned you could be interested in these extensionshttp://www.softwareishard.com/blog/firecookie/https://addons.mozilla.org/en-US/firefox/addon/cookie-collector/?src=...http://www.toolness.com/wp/2011/07/collusion/
>
> Honza
I'm aware HAR is not strictly a tool but looks it will be very useful
in my case.
Thank you for the explanation & links :)
Regards
Kris
>
> Honza
Reply all
Reply to author
Forward
0 new messages