How to add cookie header in request

[sitraj]

Hi Shekyan,

The slowhttptest tools is very helpful in testing DOS attacks on the server. I am trying to use this tool to test our application which requires authentication for successful access.

As a part of authentication we use SAML so the request gets redirected to SAML server if it does not find authentication cookies in it.

So to test using this tool I was thinking if I can add authentication cookies in request headers so the server will respond correctly.

[shekyan]

Initially, the idea of not having a configurable state(cookie) was that, at least back when slowhttptest was developed, every implementation we looked at would require to read the entire HTTP request before parsing out the state. Things might've changed, so I'll try to add cookie support.

[sitraj]

Yes, the requirement in our case is we have login mechanism handled through SAML server, so when the first request comes from client the request gets redirected to the SAML login page.

Because of this, if use slowhttptest and provide our application url http://xxx.com/dashboard the response will be 302 and in my opinion we will not be able to get the correct readings of slowhttptest for xxx.com (which is our web Application)

So I was thinking if we could provide the authentication cookie along with the request then probably the page will not get redirected to the SAML login page and actual dashboard of xxx.com will get opened.

Hope I am able to put my scenario in readable way. Let me know if I am ambiguous or you require any more information.

[maikthulhu]

I have implemented this locally but wasn't sure at all if anyone cared. Turns out they do! I can... probably figure how to do pull requests if interested.

For background, I ran into a discrepancy when doing testing on a server I thought should be vulnerable. This application 302s to a login server if no session cookie is set. As a test I grabbed a fresh set of session cookies and appended them to request_ in a quick build and I was able to take down the target.

My changes introduce a new parameter (-j), and adds Cookie to info() and the running test status and results.

[sitraj]

cool, would like to use this implementation. could you please share/checkin the changes, so I can pull it.

[maikthulhu]

62 is the pull request with my changes.

[sitraj]

Thanks a lot @maikthulhu, I will go through it and will update you with the results

[maikthulhu]

Just bumping this to see if anyone's had a chance to look at the changes.