Q: Reuse of browser session with pytos

[gthieleb]

Background: tufin is placed behind a corporate SSO portal that only allows PKI card based authentication. PKI card is not properly usable in context of the cmd.exe or linux shell.

Question is if it is possible to reuse a browser based established session in pytox. The idea I have in mind is to export the cookie from browser and extract session information to create a pytox session object.

[marioland]

In theorie yes. If you re-send your cookie bag to the web server, it should allow the request. But in the real world you need to test it. If there is a web application firewall in front of the web server, it might does some fingerprinting on your request and detects session hijacking. As this is a OWASP top 10 attack a lot of products will prevent it. Nevertheless, if you are careful with http headers(also order of header counts) and send the request from the same IP you might have a chance.

[gthieleb]

Thanks @marioland for your detailed answer and pointing out your concerns on that.

If reusage hijacking is unwanted from security scope I will look for an alternative way to make use pytos.

Do you have an idea how to start with smart card authentication in python?