HOW TO MANIPULATE COOKIES: AN INFORGRAPHIC FOR HACKERS

Hello reader, after writing a blog about “Cookies” (you can find the link below), I wanted you to know how to manipulate them and make some interesting experiments in an ethical way.

COOKIES: AN EYE-OPENING GUIDE

Cookie is a small piece of information created by the web server and it is stored in the web browser. Cookie manipulation is basically modifying a cookie to obtain an unintended behavior determined by the web developer. Cookie manipulation is possible because cookies are stored on your host system, which means you have complete control over them and you can modify them as you want.

For modifying and manipulating cookies, we need to open the developer tools. Developer tools can be accessed by pressing “F12” or “Ctrl + Shift + I”. Once the developer tools are open, then navigate to “Storage” tab in Firefox or “Application” tab in Chrome/Edge to access cookies. Select the Cookies dropdown on the left-hand side of the console.

Accessing Cookies in Developer tools

The values of cookies may seem to be random at first, however, they often have an encoded value or meaning behind them that can be decoded into non-arbitrary value such as JavaScript object.

From an attacker’s perspective, you can decode the cookie value to identify the underlying objects. After you have identified the underlying objects, then you can modify them however you want. To use the cookie, you need to encode the cookie back to the original encoding and replace the cookie value. You can find an example of decoded cookie value below.

{firstName:”Mark”, lastName:”Bill”, age:30, eyeColor:”brown”

Now we have all of the pieces of cookies and we know how to manipulate them, hence, by putting them all together, we can gain unintended access.

Summary:

Now, let’s look at a summary of how we can manipulate cookies step by step:

1. Obtain a cookie value. This can be obtained by registering or signing up for an account in a website.
2. Decode the value of the cookie.
3. Identify the object notation or structure of the cookie.
4. Modify the parameters inside the object to a different parameter with a higher privilege level, such as admin or administrator.
5. Re-encode the cookie and replace the cookie into the value space.
6. Action the cookie. You can make this happen by refreshing the page or logging in.

Hope you have learnt something new related to web exploitation. Stay tuned!!

Happy hacking :)

“Buy me a coffee” is a global platform where millions of people support creators and artists, financially.