test414 (1621B)
1 <testcase> 2 <info> 3 <keywords> 4 HTTP 5 cookies 6 --resolve 7 </keywords> 8 </info> 9 10 # 11 # Server-side 12 <reply> 13 <data nocheck="yes"> 14 HTTP/1.1 301 OK 15 Date: Tue, 09 Nov 2010 14:49:00 GMT 16 Server: test-server/fake 17 Content-Length: 6 18 Set-Cookie: SESSIONID=originaltoken; secure 19 Set-Cookie: second=originaltoken; secure; path=/a 20 Location: http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER0002 21 22 -foo- 23 </data> 24 25 <data2> 26 HTTP/1.1 301 OK 27 Date: Tue, 09 Nov 2010 14:49:00 GMT 28 Server: test-server/fake 29 Content-Length: 6 30 Set-Cookie: SESSIONID=hacker; domain=attack.invalid; 31 Set-Cookie: second=replacement; path=/a/b 32 Location: https://attack.invalid:%HTTPSPORT/a/b/%TESTNUMBER0003 33 34 -foo- 35 </data2> 36 37 <data3> 38 HTTP/1.1 200 OK 39 Date: Tue, 09 Nov 2010 14:49:00 GMT 40 Server: test-server/fake 41 Content-Length: 6 42 43 -foo- 44 </data3> 45 </reply> 46 47 # 48 # Client-side 49 <client> 50 <server> 51 http 52 https 53 </server> 54 <name> 55 HTTPS sec-cookie, HTTP redirect, same name cookie, redirect back 56 </name> 57 <command> 58 https://attack.invalid:%HTTPSPORT/a/b/%TESTNUMBER --insecure -c %LOGDIR/cookie%TESTNUMBER --resolve attack.invalid:%HTTPSPORT:%HOSTIP --resolve attack.invalid:%HTTPPORT:%HOSTIP -L 59 </command> 60 </client> 61 62 # 63 # Verify data after the test has been "shot" 64 <verify> 65 <protocol> 66 GET /a/b/%TESTNUMBER HTTP/1.1 67 Host: attack.invalid:%HTTPSPORT 68 User-Agent: curl/%VERSION 69 Accept: */* 70 71 GET /a/b/%TESTNUMBER0002 HTTP/1.1 72 Host: attack.invalid:%HTTPPORT 73 User-Agent: curl/%VERSION 74 Accept: */* 75 76 GET /a/b/%TESTNUMBER0003 HTTP/1.1 77 Host: attack.invalid:%HTTPSPORT 78 User-Agent: curl/%VERSION 79 Accept: */* 80 Cookie: SESSIONID=originaltoken; second=originaltoken 81 82 </protocol> 83 </verify> 84 </testcase>