Easy Cookie Hacking

26 Mar 2006

When penetration testing a web app, it's hard to avoid a few manual tests. For example, you might try a simple cross-site scripting (XSS) exploit:

Or, perhaps its cousin:

Testing with GET and POST is easy enough, because you can use the web app's own forms or create one yourself. Manipulating cookies isn't quite as easy, but you don't actually need to send your own raw HTTP requests or use a Firefox extension. You just need a bit of JavaScript.

You've probably used the javscript: URL scheme in some way - for example, entering javascript: into the location bar of Firefox brings up the JavaScript console. It's pretty easy to use this to manipulate document.cookie - just enter something like the following into your browser's location bar:

Just change Your+Name to be your own name, and this will set the cookie my blog uses to recognize you when you're posting a comment. (You need to already be on my web site, of course.) This is just a simple demonstration - the usefulness of this technique is clearer when you use it to inject malicious data in order to make sure cookie values are being filtered properly. There is some hassle involved, because you need to escape the value to be preserved in the context of JavaScript and escape it again to be preserved in the context of a URL:

Luckily, with a small collection of common injections, it's easy to perform some mild penetration testing. You can even bookmark them.