Professional Documents
Culture Documents
• Javascript on one page can only modify javascript on another page if they share the same
origin – that is the same domain.
• Exception to SOP: set location of document, but can't change content;
• Firefox addon – firebug; can look at script, analyzing the network traffic, etc [like see GET
requests, the response from the server, etc.
• Firebug – cookies panel: inspect and manipulate cookies. Can see if cookie is httponly, etc.
• If httponly is not set, can access cookie from javascript – write in console:
“document.cookie”;
Burpe Suite
• reset configurations to get rid of prior: burpe → restore defaults → all options [new clean
environment];
• config proxy → options → edit proxy listener → check intercept server responses → firefox
preferences [configure proxy – 127.0.0.1: 8080];
• Proxy intercept → intercept is on → [see GET request] → forward OR [action → “send
to...”]
• target tab starts populating with sitemap, requests and responses, etc.
• [scope] → right click item in sitemap list on target and → add to scope;
• [scope] → copy URL and then paste in “target scope” and url will be added;
• on target tab → press filter button → show only inscope items;
• outside of scope intercept will ignore;
• when you've been on the site, the burpe site map will start gathering info: grey objects is
what burpe collects itself, and black objects is what you've browsed to;
• spider → options → form submission → prompt for guidance;
• start spider with “spider is paused”;
• repeater → right click on login page; send to repeater → see username & password
parameters and can manually manipulate them from here;
OWASP Zap