Accessing HTTP only cookies via .NET cookiecontainer

 

Results 1 to 10 of 10
I am making a web request and monitoring it in Charles' Proxy. I can see ...
  1. #1
    programmingboss is offline Newbies
    Join Date
    Feb 2013
    Posts
    7
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Default Accessing HTTP only cookies via .NET cookiecontainer

    I am making a web request and monitoring it in Charles' Proxy. I can see HTTP only cookies coming back in the response but I cannot access them via the cookiecontainer object. I can see other cookies in the container but not the HTTP only one I am after.

    Does anyone know how to do this? I know the information is available because Charles' Proxy can show my the value of the HTTP only cookie. However, I need access to it in .NET. I suspect this may need reflection but I am not sure how.

    Can anyone help? Thanks.




  2. #2
    theMagicNumber is online now Regular Member
    Join Date
    May 2010
    Posts
    341
    Thanks
    160
    Thanked 171 Times in 105 Posts

    Default Re: Accessing HTTP only cookies via .NET cookiecontainer

    Code:
     public void GetCookies(CookieContainer cookieContainer)
            {
                System.Type _ContainerType = typeof(CookieContainer);
                Hashtable table = (Hashtable)_ContainerType.InvokeMember("m_domainTable",
                                           System.Reflection.BindingFlags.NonPublic |
                                           System.Reflection.BindingFlags.GetField |
                                           System.Reflection.BindingFlags.Instance,
                                           null,
                                           cookieContainer,
                                           new object[] { });
                foreach (var pathList in table.Values)
                {
                    SortedList lstCookieCol = (SortedList)pathList.GetType().InvokeMember("m_list", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.GetField | System.Reflection.BindingFlags.Instance, null, pathList, new object[] { });
                    foreach (CookieCollection colCookies in lstCookieCol.Values)
                    {
                        foreach (Cookie c in colCookies)
                        {
                            if (c.HttpOnly)
                            {
                                //do the work here
                            }
                        }
                    }
                }
            }
    The code is not mine, just copied from here and there.
    If you know the domain you can use GetCookies(Uri uri) from CookieContainer.

    EDIT:
    I apologize, but i missed that it is VB.NET forum.
    Last edited by theMagicNumber; 05-21-2013 at 05:52 PM.

  3. The Following User Says Thank You to theMagicNumber For This Useful Post:

    programmingboss (05-21-2013)

  4. #3
    roach is offline Banned - see signature
    Join Date
    Sep 2009
    Location
    $rotate{Earth|Home|Here}
    Posts
    746
    Thanks
    321
    Thanked 371 Times in 204 Posts

    Default Re: Accessing HTTP only cookies via .NET cookiecontainer

    Hey brother here is the code you asked for in vb net.

    Dim logincookie As CookieContainer
    ' Create a request for the URL.
    Dim req As HttpWebRequest = HttpWebRequest.Create(URL)
    req.UserAgent = useragent

    req.Referer = "http://www.google.com"
    req.ContentType = "Accept-Encoding: gzip,deflate,sdch" 'Form content type
    req.ServicePoint.Expect100Continue = False
    req.Method = "GET" 'data will be requested in GET method
    req.CookieContainer = logincookie ' collecting cookies


    ' Get the response.
    Dim response As HttpWebResponse = req.GetResponse()
    For Each tempCookie In response.Cookies
    logincookie.Add(tempCookie)
    Next
    ' Display the status.
    'MessageBox.Show(CType(response, HttpWebResponse).StatusDescription)
    ' Get the stream containing content returned by the server.
    Dim dataStream As Stream = response.GetResponseStream()
    ' Open the stream using a StreamReader for easy access.
    Dim reader As New StreamReader(dataStream)
    ' Read the content.
    For Each tempCookie In response.Cookies
    logincookie.Add(tempCookie)
    Next
    Dim responseFromServer As String = reader.ReadToEnd()
    ' Display the content.
    'MessageBox.Show(responseFromServer)
    That is pretty much what I use. I just copied and pasted that out of one of my tools i made. Good luck! Also dont forget to close what you open...
    This member has been permanently banned from BHW.

  5. The Following User Says Thank You to roach For This Useful Post:

    programmingboss (05-21-2013)

  6. #4
    programmingboss is offline Newbies
    Join Date
    Feb 2013
    Posts
    7
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Default Re: Accessing HTTP only cookies via .NET cookiecontainer

    Thank you both.

    Roach I haven't run that code but I believe that is good for getting normal cookies but I don't think HTTP Only cookies can be accessed in that way. Please correct me if I am wrong.

    I am going to test out theMagicNumber's code as it looks good, if you don't hear from me then it worked.

  7. #5
    programmingboss is offline Newbies
    Join Date
    Feb 2013
    Posts
    7
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Default Re: Accessing HTTP only cookies via .NET cookiecontainer

    Unfortunately, it didn't work. The code is good, the problem is that the cookie doesn't show in the response.cookies cookiecontainer or in a cookiecollection object i attach to the request. Driving me crazy.

    I see the cookie in Charles Proxy, so I know it's part of the response. It doesn't have a Domain assigned to the cookie, could that be the problem?

    Here is what the raw response in Charles shows me;
    Set-Cookie: [COOKIE NAME HERE]=BAh7CDoQb2xkX2dldF91cmwiBi86D3Nlc3Npb25faWQiJTUwZ mVmNTAzZWVmM2U2Mzk0MDQ5ZjdiMzI4ODViMjFlOhBfY3NyZl9 0b2tlbiIxOEtFejBBcWZ3TDB4SUYyTVA1WVBnc3poWnIzZTdiR HJxelpKdmtES1ZTTT0%3D--5118f929221234fdf175ba825a2d1a96b346b9bb; path=/; HttpOnly

  8. #6
    innozemec's Avatar
    innozemec is offline ★★ InstantLinkIndexer.com
    Join Date
    Aug 2011
    Location
    www.Indexification.com
    Posts
    4,953
    Thanks
    1,416
    Thanked 1,653 Times in 1,299 Posts
    Blog Entries
    5

    Default Re: Accessing HTTP only cookies via .NET cookiecontainer

    You sure the cookie isn't been set by Charles or set only if using a proxy? I remember once i had a system returning special response only when using a Proxy as when using Charles the connection gets proxied..i have gone crazy till i figured that out..

  9. The Following User Says Thank You to innozemec For This Useful Post:

    programmingboss (05-21-2013)

  10. #7
    programmingboss is offline Newbies
    Join Date
    Feb 2013
    Posts
    7
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Default Re: Accessing HTTP only cookies via .NET cookiecontainer

    Well, the request response i am checking with Charles (the one that shows the cookie) is the one being executed in my app. I have the app using the 127.0.0.1:8888 proxy so I can see it in Charles' Proxy.

    I realise HTTP only cookies are not meant to be accessed by the client, which is why .NET is not letting me get at it. But the cookie is in the response, I just need some kind of reflection code to access what .NET is hiding from me.

  11. #8
    programmingboss is offline Newbies
    Join Date
    Feb 2013
    Posts
    7
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Default Re: Accessing HTTP only cookies via .NET cookiecontainer

    Here's the raw response from Charles. I've replaced the domain name with XXXXX and trimmed the content, nothing else.

    Code:
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Status: 200
    X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.12
    X-Runtime: 42
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: mobile_view=false; domain=XXXXXXX; path=/
    Set-Cookie: 
    Set-Cookie: country_id=30; domain=XXXXXXX; path=/; expires=Wed, 21-May-2014 21:26:12 GMT
    Set-Cookie: 
    Set-Cookie: country_code=JP; domain=XXXXXXX; path=/; expires=Wed, 21-May-2014 21:26:12 GMT
    Set-Cookie: 
    Set-Cookie: language_id=1; domain=XXXXXXX; path=/; expires=Wed, 21-May-2014 21:26:12 GMT
    Set-Cookie: 
    Set-Cookie: l=; domain=XXXXXXX; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
    Set-Cookie: _XXXXXXX_session=BAh7CDoQb2xkX2dldF91cmwiBi86D3Nlc3Npb25faWQiJTc5NWNmYTM4YTk0MGNkYjEyZGMwNDViYzVkNjcyOTY3OhBfY3NyZl90b2tlbiIxRUhtcW5MdkQ0RS9LaTAvSjFBMGNjakZja0NxdDUwQklveS8xQ1Myck4zND0%3D--ef35cdf5911aaaee48c7c9f7d09fc5c5b3a4d5e4; path=/; HttpOnly
    ETag: "b0860cf08817b135d34ecc5c574f62c0"
    X-Content-Type-Options: nosniff
    Cache-Control: private, max-age=0, must-revalidate
    X-XSS-Protection: 1; mode=block
    Server: nginx/1.0.15 + Phusion Passenger 3.0.12 (mod_rails/mod_rack)
    Content-Encoding: gzip
    EDIT: The only cookie in the cookiecontainer is 'mobile_view' why are the others not there/visible?

  12. #9
    programmingboss is offline Newbies
    Join Date
    Feb 2013
    Posts
    7
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Default Re: Accessing HTTP only cookies via .NET cookiecontainer

    Got it, finally. You can get the raw header text with;
    Code:
    Response.Headers.ToString
    And now I can see the raw headers I posted above. Still don't know why .NET wasn't putting those cookies in the container but now I can manually at least.

  13. #10
    hatemachine's Avatar
    hatemachine is online now Regular Member
    Join Date
    Jan 2011
    Posts
    271
    Thanks
    159
    Thanked 1,066 Times in 340 Posts

    Default Re: Accessing HTTP only cookies via .NET cookiecontainer

    Quote Originally Posted by programmingboss View Post
    Got it, finally. You can get the raw header text with;
    Code:
    Response.Headers.ToString
    And now I can see the raw headers I posted above. Still don't know why .NET wasn't putting those cookies in the container but now I can manually at least.
    The official .NET CookieContainer implementation has been broken for years, better do it yourself.

  14. The Following User Says Thank You to hatemachine For This Useful Post:

    programmingboss (05-22-2013)


Similar Threads

  1. [HELP] Webbrowser cookies to webrequest cookiecontainer
    By carlx in forum Visual Basic .NET
    Replies: 1
    Last Post: 04-18-2013, 05:05 PM
  2. Accessing Site
    By blitzgeist in forum Black Hat SEO
    Replies: 0
    Last Post: 07-24-2012, 05:51 PM
  3. Youtube - Cookies, Cash and FLASH Cookies
    By liberpax in forum Social Networking Sites
    Replies: 11
    Last Post: 07-05-2010, 11:58 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  




BlackHatWorld on Twitter BlackHatWorld on FaceBook


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109