How To: Reproduce Cookie Violations
This how-to describes how it is best to reproduce cookie violations, as this is often a very confusing topic. First of all it would be good to know, how exactly our crawler works in this case:
How Nimbusec visits websites
The crawler of Nimbusec is technically based on a headless chrome browser. But it is configured and extended in a way, that it is very hard for website fingerprinting scripts, to detect if this is a BOT (as it is) or a usual visitor.
EVERY URL IS VISITED FROM A NEW, CLEAN BROWSER WINDOW IN INCOGNITO MODE. NO COOKIES ARE ENABLED, NO PLUGINS OR AD BLOCKER INSTALLED!
Step by step:
- The crawler receives a base URL to crawl. That can be "http://example.com" or also "http://example.com/foo".
- The base URL will be visited as unique user and stored. This one is very important: EVERY URL VISITED, IS COMPARABLE TO A NEW, CLEAN BROWSER WINDOW, without any session cookies or anything else. That means that every page is visited like:
- closing the browser (if any is open currently)
- open a new browser in incognito mode
- type the whole URL in the address bar and visit it
- Stored content will be analysed
- All links will be parsed
- external, different to base domain, will be scanned just once for malware and reputation to make sure no harm comes from an outgoing link at the time of scanning
- internal links, domain stays the same, will be stored as well for further analysis, and links will be followed
- Stored content will be analyzed in different flavors - e.g. compliance (including cookies)
How to check this manually
We strongly recommend to do this from within a sandbox, which can be reset to a clean state before proceeding with a new project. This will not only prevent you from being hacked because a website might be attacking, but also working as close to our systems, and most pre-installed user systems as it gets.
Therefore a virtual machine with a linux would be the best solution.
Also you need a browser like Chromium, freshly installed, without any cookies.
Requirements
- Virtual Machine with Linux installed
- Browser (e.g. Chromium) without
- Ad Blocker
- Configuration to block anything out of the box