Threaded Mode | Linear Mode

Toppy · Apr. 24, 2008, 10:59 PM

Hi,

I'm new to this forum,
I have some problems with the fake cookie filter by sidki,

This is the some post I made on the castlecops forums, but I couldn't get it working with the help I received there (Thanks to whenever who did everything he could to help me, but I think the problem must be with the filter itself.

So, here goes :

I'm trying to fake a cookie value for some site, so I added this line into the IncludeExlude-U.ptxt file

Code:

[^.]+.sitename.com/ $SET(0=f_cookie.) $SET(sCookieF=browserID=Superbrowser)

According to the helpfile, this should replace the browserID value in the cookie with "Superbrowser" and that it does, unfortunatelly while it does that it also destroys any other cookievalues which were originally there.

When I access the site, the cookie is sent like :
Cookie: browserID=Superbrowser

In the response I get there is this :
Set-Cookie: sessionID=b939f638; path=/; domain=.sitename.com

So, I expect the next request I make to the site, this cookie will be sent :
Cookie: browserID=Superbrowser; sessionID=b939f638; path=/; domain=.sitename.com

...unfortunatelly, the filter somehow deletes all the contents, and only sends :

Cookie: browserID=Superbrowser

Please, what am I doing wrong, or does the filter deletes everything else by default ?

I'm just interested in anyone else trying out to fake part of some site's cookie, but I expect them to get the same results as I have.
either $SET(sCookieP=0)$SET(0=f_cookie.) doing exactly that, not faking a cookie, so if the site sets the cookie browserID=Firefox, the cookie isn't changed into browserID=Superbrowser (= not good)
or $SET(sCookieP=1)$SET(0=f_cookie.) doing just a blind add, resulting in double values being sent. (browserID=Firefox; browserID=Superbrowser) (= not good)
or the simple $SET(0=f_cookie.) which does nothing else than blindly overwriting the whole cookie string, not taking into account the restrictions set by for example $SET(sCookieF=browserID=Opera) only altering the browserID value, but rather simply overwriting EVERYTHING.

The Fake-Cookie filter from sidki is this one :

Code:

In = FALSE

Out = TRUE

Key = "Cookie: 2 Fake Cookies on sel. Sites     7.07.24 [sd] (d.0 l.3) (Out)"

URL = "($TST(keyword=\0&*.(a_cookie|i_level:[12]).)|$LST(AllowCookies))$SET(keyword=$TST(\0=\1.f_cookie.\2)\1.\2)$SET(sCookieP=)$SET(sCookieF=)PrxFail$TST()|$TST(\0=*.f_cookie.*)"

Match = "\0&($TST(sCookieP=0(^$TST(\0=*))|1$SET(1=; \0))$SET(sCookieP=)|(^$TST(sCookieP=*)))"

Replace = "$GET(sCookieF)\1$SET(sCookieF=)"

Please, can anyone help ?

***Kye-U*** · Apr. 24, 2008, 11:32 PM

My solution would involve using $SET(sCookieP=1), but then as you've stated, it may result in double-values being set. The filter does need to be modified for your purposes. An idea I have is getting the name of the attribute in the fake cookie, testing the actual cookie to see if it exists. IF it exists, then replace only its value. ELSE, append the entire attribute name and attribute value to the actual cookie.

I'm a bit strapped for time as I need to finish studying for my last final examination tomorrow, but I'll try to play around with this idea soon.

Toppy · Apr. 24, 2008, 11:46 PM

Ah great ! Thank you Kye-U.

Looking forward to it & all the best tomorrow ! Cool

**whenever** · Apr. 25, 2008, 02:26 PM

Kye-U Wrote:My solution would involve using $SET(sCookieP=1), but then as you've stated, it may result in double-values being set.

Hello Kye-U! Smile!

The original discussion is at http://www.castlecops.com/t218887-Fake_c...ites.html.

***Kye-U*** · Apr. 25, 2008, 11:54 PM

I seem to have problems testing my filter (even the original Fake cookie filter doesn't seem to be working), but I just wanted to post this anyways to give people an idea of what I'm after:

Code:

[HTTP headers]

In = FALSE

Out = TRUE

Key = "Cookie: 2 Fake/Replace Selected Cookies (Out)"

URL = "($TST(keyword=\0&*.(a_cookie|i_level:[12]).)|$LST(AllowCookies))$SET(keyword=$TST(\0=\1.f_cookie.\2)\1.\2)$SET(sCookieN=)$SET(sCookieV=)PrxFail$TST()|$TST(\0=*.f_cookie.*)"

Match = "\0&($TST(\0=\1$GET(sCookieN)=\2(;|)\3)$SET(9=\1$GET(sCookieN)=$GET(sCookieV);\3)|(^$TST(\0=*$GET(sCookieN)=*))$SET(9=$GET(sCookieN)=$GET(sCookieV);\0))"

Replace = "\9$SET(sCookieN=)$SET(sCookieV=)"

What you'd put in IncludeExclude-U:

Quote:[^.]+.domain.com/ $SET(0=f_cookie.) $SET(sCookieN=CookieName) $SET(sCookieV=CookieValue)

Theoretically, it should be working. The way I created this filter was, I started off with a fresh new filter, then entered some expressions, tested it, entered some more, entered some operators and tests, and when it was fully working, I injected the $GET() values in place of my test name and value, and added in the URL Match. Thus, it should work. (Make sure you backup the original filter just in case)

I'm pretty rusty with Header filters. Let me know how it goes!

This filter would replace the previous filter. It simply replaces the value of the attribute if it exists. If the attribute doesn't exist, then it'll insert the attribute and value at the beginning of the cookie. So, no functionality is lost with this filter Smile!

(if it works, that is!)

Toppy · Apr. 26, 2008, 10:27 AM

Hi,

I just tried this filter, it works partially, it does replace value with faked value, but cookie values are glued together like :

Cookie: browserID=OperasessionID=16515165df
instead of :

Cookie: browserID=Opera; sessionID=16515165df

so, in some way, the "; " part of the filter doesn't work.

Greets.

***Kye-U*** · Apr. 26, 2008, 07:55 PM

That's great! Try this:

Code:

[HTTP headers]

In = FALSE

Out = TRUE

Key = "Cookie: 2 Fake/Replace Selected Cookies (Out)"

URL = "($TST(keyword=\0&*.(a_cookie|i_level:[12]).)|$LST(AllowCookies))$SET(keyword=$TST(\0=\1.f_cookie.\2)\1.\2)$SET(sCookieN=)$SET(sCookieV=)PrxFail$TST()|$TST(\0=*.f_cookie.*)"

Match = "\0&($TST(\0=\1$GET(sCookieN)=\2(;|)\3\4)$SET(9=\1$GET(sCookieN)=$GET(sCookieV)\3\4)|(^$TST(\0=*$GET(sCookieN)=*))$SET(9=$GET(sCookieN)=$GET(sCookieV);\0))"

Replace = "\9$SET(sCookieN=)$SET(sCookieV=)"

Toppy · Aug. 06, 2008, 07:41 PM

Great !

* Sorry for the late reply.

***Kye-U*** · Aug. 06, 2008, 07:46 PM

Let me know if it works Smile!

If it does, I can include it as an unofficial update for Sidki's config set!

Toppy · Aug. 22, 2008, 10:56 AM

(Aug. 06, 2008 07:46 PM)Kye-U Wrote: Let me know if it works If it does, I can include it as an unofficial update for Sidki's config set!

Hi Kye-U,

Again, sorry for the late reply.
It works perfectly well ! Smile!

***ProxRocks*** · Aug. 22, 2008, 01:52 PM

saw this in the "beta updates" and gave it a whirl...

seems to work, but, um, "how" do i use it here -
http://www.msfn.org/board/forums.html

my "old" fake cookie looked like this, edited of course -

Code:

    $SET(0=f_cookie.)

    $SET(sCookieF=member_id=123456;pass_hash=hex;coppa=0)

ie, my "fake cookie" has THREE "names" and THREE values...
how do i get that to work with the new 'unofficial' filter update?

**whenever** · Aug. 22, 2008, 02:55 PM

(Apr. 24, 2008 10:59 PM)Toppy Wrote: or $SET(sCookieP=1)$SET(0=f_cookie.) doing just a blind add, resulting in double values being sent. (browserID=Firefox; browserID=Superbrowser) (= not good)

I think this could be solved by adding an entry in CookieValues.ptxt to remove the incoming browserID part.

***Kye-U*** · Aug. 23, 2008, 03:32 AM

(Aug. 22, 2008 01:52 PM)ProxRocks Wrote: my "old" fake cookie looked like this, edited of course -

Code:

$SET(0=f_cookie.) $SET(sCookieF=member_id=123456;pass_hash=hex;coppa=0)

ie, my "fake cookie" has THREE "names" and THREE values...
how do i get that to work with the new 'unofficial' filter update?

I've updated the filter in the sticky to use a different "keyword", f_cookie2 instead of f_cookie. You can use both filters simultaneously (as long as there are unique URL matches in the IncludeExclude-U blocklist). I forgot to take into account that being able to spoof multiple cookie attributes is a pretty handy thing D'oh!

***ProxRocks*** · Aug. 23, 2008, 01:11 PM