© 2018 Caendra Inc.

| Hera for WAPTv3 | Introduction 1

In these Introduction labs, the student will learn some basic concepts on Same Origin
Policy and Cookies. There are a few different web applications available to the student in
order to test and practice different implementations.

Once you are connected in VPN to the lab environment, all the web applications will be
available at the following URL: http://info.introduction.site/.

There are three main sections for each type of lab: Video, Lab, Challenges.

• Video section contains web applications used during video lessons. Therefore, if
you need any information about the scenario, the attacks and so on, please refer to
the corresponding video.
• Labs section contains web application where you can practice the techniques of the
specific module and have solutions. You can find them later in this manual
• Challenges labs do not have solutions; otherwise, why call them challenges? If you
study the course and think like a penetration tester, you will achieve the goal!

The main goal of these labs is understand how the Same Origin Policy and the Cookies
work. Navigate the web application and inspect how they behave.

The best tool is, as usual, your brain. Then you may need of:

• Web Browser
• Firebug or a cookie inspector plugin

In order to test the cookie lab, you will have to log into the application. Credentials are
already stored in the form. You can login by clicking on the “Sign in” button.

© 2018 Caendra Inc. | Hera for WAPTv3 | Introduction 2

Once you have your virtual network ready, configure the following IP address as default
DNS: 10.100.13.37

• WINDOWS: change the property of the TAP network device, adding as first DNS
server of the IP of the server.
• LINUX: add an entry into /etc/resolv.conf file with the IP address of the server

All the web applications contain a login page that the student can use to access the web
app. Notice that the forms are already filled with the correct credentials to log in, so you
just need to click on "Login."

As soon as you access the web application, depending on the web application, cookies will
be set with different configuration.

Log into the web applications and inspect the cookies: navigate different pages, domains
and subdomains in order to check when and where the cookies are sent.

• How cookies work depending on how they are set

© 2018 Caendra Inc. | Hera for WAPTv3 | Introduction 3

Please go ahead, only if you are really stuck or if you have
completed the labs.

© 2018 Caendra Inc. | Hera for WAPTv3 | Introduction 4

Once you click on the login button, the web application sets the following cookie:

• Name: TestCookie
• Value: Cookie set by default
• Domain: a.correctcookie1.site
• Path: /
• Expires: Session

The code that the application uses is the following:

setcookie("TestCookie", "Cookie set by default");

As you can see, everything is set by default, except the name and the cookie value. This
means that the cookie will only be sent to:

• http://a.correctcookie1.site/*
• https://a.correctcookie1.site/*

You can now test when the cookie is sent by clicking on the links displayed in the page.

• Different path: the cookie is sent.

• Different subdomain: the cookie is not sent
• Different domain: the cookie is not sent

© 2018 Caendra Inc. | Hera for WAPTv3 | Introduction 5

Once you click on the login button, the web application sets the following cookie:

• Name: TestCookie
• Value: Cookie set to correctcookie2.site
• Domain: .correctcookie2.site
• Path: /
• Expires: Session

The code that the application uses is the following:

setcookie("TestCookie", "Cookie set to correctcookie2.site",

null, null, "correctcookie2.site");

As you can see, the domain has been set to correctcookie2.site. This means that the cookie
will only be sent to:

• http://correctcookie2.site/*
• https://correctcookie2.site/*
• http://*.correctcookie2.site/*
• https://*.correctcookie2.site/*

You can now test when the cookie is sent, by clicking on the links displayed in the page.

• Different path: the cookie is sent.

• Different subdomain: the cookie is sent
• Different domain: the cookie is not sent

© 2018 Caendra Inc. | Hera for WAPTv3 | Introduction 6

Once you click on the login button, the web application sets the following cookie:

• Name: TestCookie
• Value: Cookie set to /test/
• Domain: a.correctcookie3.site
• Path: /test/
• Expires: Session

The code that the application uses is the following:

setcookie("TestCookie", "Cookie set to /test/", null, "/test/");

As you can see, the path has been set to /test/. This means that the cookie will only be
sent to:

• http://a.correctcookie3.site/test/*
• https://a.correctcookie3.site/test/*

You can now test when the cookie is sent, by clicking on the links displayed in the page.

• Different path: the cookie is not sent.

• Different subdomain: the cookie is not sent
• Different domain: the cookie is not sent

© 2018 Caendra Inc. | Hera for WAPTv3 | Introduction 7

Once you click on the login button, the web application sets the following cookie:

• Name: TestCookie
• Value: Cookie value set to A for .correctcookie4.site
• Domain: .correctcookie4.site
• Path: /
• Expires: Session

The code that the application uses is the following:

setcookie("TestCookie", "Cookie value set to A for

.correctcookie4.site", null, null, ".correctcookie4.site");

As you can see, the domain has been set to correctcookie4.site. However, what
happens if the parent domain (correctcookie4.site) tries to set a cookie with the
same value?

To test this, you can click on "Set a new cookie from correctoockie4.site". This is the code
used by the web application (correctcookie4.site/setnewcookie.php):

setcookie("TestCookie", "Cookie value set to B with a default

domain");

As you can see, now you have two cookies with the same name. Note that these two cookies
are different (inspect the domain value set).

© 2018 Caendra Inc. | Hera for WAPTv3 | Introduction 8

The following web application does not set the cookie properly. Once you click on the login
button, the web application sets the following cookie:

• Name: TestCookie
• Value: Cookie set for a.incorrectcookie.test
• Domain: .a.incorrectcookie.test
• Path: /
• Expires: Session

The code that the application uses is the following:

setcookie("TestCookie", "Cookie set for

a.incorrectcookie.test",null,null, "a.incorrectcookie.test");

As you can see, the domain has been set to a.incorrectcookie.test (but we are
navigating incorrectcookie.site).

This is not going to work since a.incorrectcookie.site cannot set a cookie for a
different domain (such as a.incorrectcookie.test). If we click on "Test cookie on
a.incorrectcookie.test", we can see that no cookie is set.

© 2018 Caendra Inc. | Hera for WAPTv3 | Introduction 9

The following web application does not set the cookie properly. Once you click on the login
button, the web application sets the following cookie:

• Name: TestCookie
• Value: Cookie set for b.incorrectcookie2.site
• Domain: b.incorrectcookie2.site
• Path: /
• Expires: Session

The code that the application uses is the following:

setcookie("TestCookie", "Cookie set for

b.incorrectcookie2.site",null,null, "b.incorrectcookie2.site");

As you can see, the subdomain has been set to b.incorrectcookie2.site (but we are
navigating a.incorrectcookie2.site).

This is not going to work since a.incorrectcookie2.site cannot set a cookie for a
subdomain (such as b.incorrectcookie2.site). If we click on "Test cookie on
b.incorrectcookie2.site", we can see that no cookie is set.

© 2018 Caendra Inc. | Hera for WAPTv3 | Introduction 10