The next topic of interest from the HTTP protocol is cookies. As HTTP is a stateless protocol, cookies provide a way to store persistent data on the client side. This allows a web server to have session management by persisting data to the cookie for the length of the session.
Cookies are set from the web server in the HTTP response using a Set-Cookie
header. They are then sent back to the server through the Cookie
header. This recipe will look at ways to audit the cookies being set by a website to verify if they have secure attributes or not.
The following is a recipe to enumerate through each of the cookies set on a target site and flag any insecure settings that are present:
import requests req = requests.get('http://www.packtpub.com') for cookie in req.cookies: print 'Name:', cookie.name print 'Value:', cookie.value if not cookie.secure: cookie.secure = '\x1b[31mFalse\x1b[39;49m' print 'Secure:', cookie.secure if 'httponly...