can man-in-the-middle with session transfer be used to clone a website interaction session?

Factual Questions
1

suppose I run a big webapp, let’s say written in ASP.net or some other such framework in which programmers may use in-memory session data. In practice, from my standpoint, the app is like a black box, but I can monitor data going in and out as well as log its interaction with the database. Well, I can do anything that can be done using a 3rd party tool that has no clue about the inner workings of any given webapp.

Now, suppose I want to market this webapp of mine to potential users and I am unhappy with that dumbest and least informative tool of them all, the “promotional video”. Instead I would like to offer potential customers a demo version experience on a “live” system, but I don’t want to force them to explore its complexity according to a big manual with screenshots. What I would really like to do is let them magically “jump” into the webapp state as it would have been after a whole bunch of actions were carried out. Then, when they are done exploring this particular scenario, they would “jump” into another scenario and so on (whatever changes and other damage they may have caused would be reset).

To use a simple analogy, let’s consider gmail. If I were selling gmail, let’s say I would want to let the user jump directly into the state where the first message in the Inbox is opened and the Reply button is pressed on it. Then maybe I would have them jump into the Forwarding screen and examine the process of setting up mail forwarding.

In a way, this is a lot like what could be achieved using a script running in browser functional testing app like Selenium. Except, my potential customers probably don’t have Selenium installed and wouldn’t want me to script their browser even if they did have it.

So is there a way to achieve the above using some existing technology that would implement “man in the middle”? Let’s say this MITM app, running on my server next to the app being demoed, would play a script of commands as if coming from the customer’s browser and transmit to the customer all session cookies being set by the server. Then once the script is done, the customer would be able to interact with the webapp as the same “session” as the script.

Is the above approach realistic given existing tools, handling of security issues and so on?

By way of editorial comment, I think that this version of the man in the middle with session being transferred to the customer’s browser is the dumbest and most obvious (if not necessarily most or at all feasible) way to attempt to solve this problem. If it doesn’t work, it would make sense to explore alternative approaches that don’t involve the transfer.

2

If the web app isn’t using https or similar form of encryption, I don’t see why a MITM script wouldn’t work – you’re basically taking input from the user, feeding it to the web app, and then relaying the output back to the user. Isn’t that what MITM is all about?

But that seems like such an unnecessarily difficult way to implement this. Why not just code a demo mode into the web app to begin with?

3

That’s what I’d do, but it’s not clear if the OP controls the codebase or not.

code_grey, why not run Selenium from your PC, and use that to alter the customer’s session? As long as you use the same session ID I don’t see why that wouldn’t work.

4

And really, even if it is using HTTPS, it doesn’t matter as long as you the user doesn’t mind entering stuff into a third party site.

5

could you please clarify how that would work? First of all, are you talking about Selenium RC or something else?

Ok, so I have got this server running ASP.net or drupal or whatever app, let’s say the gmail clone. I also have Selenium RC (if that’s what you mean) installed on a nearby server. A user shows up and wants to go to the “reply to a message” scenario. If the user presses the “take me to scenario” button, I can understand how Selenium RC bot could login as user SeleniumUser and press the Reply button. But how do I now make it so that the human user with his regular browser can become “SeleniumUser” logged into the same session?

6

RE the codebase, like I said above, let’s say it is a black box with a million lines of code written using a framework not understood by the available developers. So creating new modules inside of it is not an option.

7

Logging in as the same user won’t be enough (if the application is well designed). The app will generate a unique session ID each time someone logs in, and store it in a cookie. You’d need to make sure Selenium and your customer are using the same session ID - either by finding out your customer’s ID after they’ve logged in, and making Selenium use that, or vice versa.

I’ve never done this so I can’t tell you exactly how, or even if it will work; some of the details would depend on your app. Just suggesting what I would try if I were in your shoes. There’s probably a better way to do it.