About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.


Easy Cookie Hacking

When penetration testing a web app, it's hard to avoid a few manual tests. For example, you might try a simple cross-site scripting (XSS) exploit:

<script>alert('XSS')</script>

Or, perhaps its cousin:

"><script>alert('XSS')</script><"

Testing with GET and POST is easy enough, because you can use the web app's own forms or create one yourself. Manipulating cookies isn't quite as easy, but you don't actually need to send your own raw HTTP requests or use a Firefox extension. You just need a bit of JavaScript.

You've probably used the javscript: URL scheme in some way - for example, entering javascript: into the location bar of Firefox brings up the JavaScript console. It's pretty easy to use this to manipulate document.cookie - just enter something like the following into your browser's location bar:

javascript:document.cookie='comment_name=Your+Name;path=/'

Just change Your+Name to be your own name, and this will set the cookie my blog uses to recognize you when you're posting a comment. (You need to already be on my web site, of course.) This is just a simple demonstration - the usefulness of this technique is clearer when you use it to inject malicious data in order to make sure cookie values are being filtered properly. There is some hassle involved, because you need to escape the value to be preserved in the context of JavaScript and escape it again to be preserved in the context of a URL:

javascript:document.cookie='comment_name=%22%3E%3Cscript%3Ealert%28\%27XSS\%27%29%3C%2Fscript%3E%3C%22;path=/'

Luckily, with a small collection of common injections, it's easy to perform some mild penetration testing. You can even bookmark them.

About this post

Easy Cookie Hacking was posted on Sun, 26 Mar 2006. If you liked it, follow me on Twitter or share:

9 comments

1.Mike Willbanks said:

Chris,

Wouldn't it just be easier to create a javascript prompt to get the cookie name and the cookie value as well as setting the path? For instance, just creating a simple javascript booklet to do so would be useful without any extra extensions.

However, there are certain extensions I use like the Web Developer Toolbar on Firefox that really help with handling how a site reacts without cookies enabled, injecting cookies, and also making it much easier to play with the forms on a website without having to do too much extra work :)

I have actually been thinking recently about trying to create a security toolbar, although this could be trouble some if normal users could get ahold of it. Basically a toolbar that could simply enter in malicous data into the forms, get variables and cookies without too much extra work. I think it would work wonders in the manual testing steps.

Mike

Sun, 26 Mar 2006 at 23:42:17 GMT Link


2.Chris Shiflett said:

Yeah, I should probably publish some handy bookmarklets, but I think simple approaches are still useful. For example, there are lots of great ways to send HTTP requests to a web server, but I still find myself using telnet a lot.

A security toolbar (or any security extension) is a good idea. I think as long as the exploits it provides are benign, you'll be helping more than hurting. Those who understand the exploits well enough to craft more sophisticated ones aren't likely to be dissuaded by inconvenience anyway.

Sun, 26 Mar 2006 at 23:59:31 GMT Link


3.Nico Edtinger said:

There is an extension for Firefox called Tampterdata <http://tamperdata.mozdev.org/> for changing everything you send to the server. Its context menu also has some common XSS hacks.

Mon, 27 Mar 2006 at 01:38:24 GMT Link


4.Chris Shiflett said:

http://tamperdata.mozdev.org/

Thanks, Nico, that's very cool. I should probably write a followup post to highlight some better tools. This was just a quick hack that can come in handy.

Mon, 27 Mar 2006 at 03:03:33 GMT Link


5.Mike Willbanks said:

Yeah tools are always good, I find that they can sometimes be cumbersome to come by a good one. A follow up post on tools would be highly useful. It might make my cumbersome testing process quite easier :)

Mon, 27 Mar 2006 at 14:02:13 GMT Link


6.Adam said:

Just a note on TamperData.

The context menu is fully customizable (you can add you're own XSS etc.) and can be exported/imported for sharing across your DEV/QA teams. (or posting on articles on security tools)

A

Tue, 28 Mar 2006 at 17:39:33 GMT Link


7.Dougal Campbell said:

There's also the Add & Edit Cookies extension for Firefox:

http://addneditcookies.mozdev.org/

This makes it a snap to mess with cookie values and expiration dates. Don't leave home without it!

Tue, 28 Mar 2006 at 20:04:15 GMT Link


8.Ryan said:

javascript:document.cookie=prompt(document.cookie,"")+";path=/;";

There's a bookmarklet for this one.

Wed, 10 May 2006 at 07:53:02 GMT Link


9.Markus said:

Thank you for the informative article and all the best for 2007

Mon, 08 Jan 2007 at 00:26:36 GMT Link


Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.