Cookie being set by an image? - http

I am trying to work out how cookies are being set on a website, I have scoured the page source and can see how most of them are being generated.
However, there is one cookie that appears on page load that I can't track down.
Is it possible that a cookie is being set when an image is being requested from a remote server? If so, can I inspect that http request response with a tool to find out if it contains the cookie?

Any HTTP-Request can set a cookie, if the server says so.
Cookies are set using the Set-Cookie HTTP header, sent in an HTTP response from the web server.
https://en.wikipedia.org/wiki/HTTP_cookie#Setting_a_cookie

A request for an image is basically the same as a request for a html page. It uses the same request/response structure. So yes you can set a cookie on an image request.
The request/response can be seen in most modern browsers. In FireFox there is under tools -> Web Developer -> Network a tool that shows the requests/responses from all calls being made on a page. Opera and Chrome have similar functionality.

Related

What could cause a browser to not respect set-cookie response headers?

I have a web server which returns 200 OK with a bunch of set-cookies, and an HTML page which loads a bunch of scripts from the same server.
However, the subsequent loads that was spawned from that HTML page submits a different cookie on their HTTP request headers.
What could be causing that? Surely there's some policy I'm missing out on, but I don't see why it works on some pages and not others?
I'm using chrome as the browser, but this behavior also happened from iOS, so I'm guessing it's not browser specific.
So after a lot more reading and troubleshooting, it turns out that when you don't set a cookie path, it'll default to whatever path the original request set-cookie was sent to. And because my resource paths had a different path, the cookie was not sent.
Adding Path=/ fixed it for my issue. Of course, if you don't want your cookie to be accessible to all pages this is bad, but my web-server requires requests to come with cookies because they are sensitive data (for security reasons).

Is there another way to set cookies than through HTTP headers?

I'm writing some http client code to interact with a website, and I need to set some cookies. Simply visiting the website sets 4 cookies (as seen in Chrome Settings).
However, when I look at the HTTP response headers for when those cookies were set (using Live HTTP Headers extension), there is no Set-Cookie header anywhere. How were those cookies set? Is there another way than through Set-Cookie?
Edit: Some of the cookies are HttpOnly.
If you load a site in your browser, it might also load other assets that can also set cookies (given that they are on the same domain).
But there is a second way to set cookies: with Javascript via document.cookies.
As far as I know, if your javascript or python code sets a cookie for that domain, then the response will include the SET-COOKIE field. You can view that from at least the inspect console.
So I see that you're using HTTP live extension, but it doesn't look like it shows that field in the response.
I tried looking for other extensions that could show it, but I wasn't able to find one as far as I know. I suppose we both can always fall back to the chrome inspect console. If you go to the network tab, you should actually see the req-resp.

Why cookie is bieng sent, even if didn't added in header?

I am trying to create a GET request using HttpRequester ( addon in firefox ). And I am analyzing packet using the Http Fox ( addon in firefox ).
I have created a GET packet with following parameters
url :-http://enquiry.indianrail.gov.in/ntes
Headers
Host :- enquiry.indianrail.gov.in
Referer :- http://enquiry.indianrail.gov.in/ntes/
When I submit this request. I get a response code of 200. In the HttpFox add on, When I analyze my packet, I see that there is additional field in header named
cookie with value _ga=GA1.3.150104442.1441509203.
Relevant Information
Before sending the request deleted all the cookies for enquiry.indianrail.gov.in .
Running all this behind a proxy server.
I get the respone 200 in HttpRequester, while 302 in HttpFox
I want to know, If I am not attaching cookie in my header,than Why HttpFox shows cookie in the header ( with response code 302 ) ?
The _ga cookie is a google tracking cookie. It is a client cookie created by google analytics.js running in your browser. The analytics.js is included by common.js, which is included in the /ntes home page.
HttpRequester will not execute the javascript logic which creates the client side _ga cookie. It may not automatically load the analytics.js either. If you are trying to automate a page that needs to execute javascript, one simple way is to use a headless browser, such as phantomjs

HTTP Request without cookies

I have an web application in which I generate a download link to an external google resource. This request usually needs a cookie. Because of the cross domain policy I currently download the files with curl and then pass them through to the user. Now those files are large. So I was looking for a way to download them directly through the clients browser.
Playing around I've found out that I can append the cookie in question to the http query, but this only works if no other cookies are set! Since it's google almost all users will have set some cookies for .google.com. Is there any way (maybe some security feature or bug) I can trigger a download request for that file in the users browser without sending any cookies along.
I discovered that I can make a request to *.google.com. (notice the . at the end) and then most browsers won't send any cookies set for .google.com . I've did a quick test using browsershots and on my own devices. The hack works in almost all browsers except for Safari (desktop and mobile) and some no name browsers.
While this works, I've decided not to use that method because the file name will be set to something unusable (no file extension).

How to spoof http referer

As of current, are there still any methods to spoof HTTP referer?
Yes.
The HTTP_REFERER is data passed by the client. Any data passed by the client can be spoofed/forged. This includes HTTP_USER_AGENT.
If you wrote the web browser, you're setting and sending the HTTP Referrer and User-Agent headers on the GET, POST, etc.
You can also use middleware such as a web proxy to alter these. Fiddler lets you control these values.
If you want to redirect a visitor to another website and set their browser's referrer to any value you desire, you'll need to develop a web browser-plugin or some other type of application that runs on their computer. Otherwise, you cannot set the referrer on the visitor's browser. It will show the page from your site that linked to it.
What might be a valid solution in your case would be for you to load the third party page on the visitor's behalf, using whatever referrer is necessary, then display the page to the user from your server.
Yes, the HTTP referer header can be spoofed.
A common way to play with HTTP headers is to use a tool like cURL:
Sending headers using cURL:
How to send a header using a HTTP request through a curl call?
or
The cURL docs:
http://curl.haxx.se/docs/
Yes of course. Browser can avoid to send it, and it can be also "spoofed". There's an addon for firefox (I haven't tried it myself) and likely you can use also something like privoxy (but it is harder to make it dynamically changing). Using other tools like wget, is as easy as setting the proper option.

Resources