Bug Bounty Diaries #11 – How Cookies work

After a longer break I have finally decided to get back to doing some bounties, and I am really excited for that. First, I needed a break. Second, I was heavily invested in Web Development and have learned a ton in that sector. There is a lot of interesting stuff I have in my pipeline that will be very interesting for all of you Bug Hunters. Instead of just jumping in again, I decided to take a learning path on TryHackMe. Web Fundamentals to be concrete. I already know most of the stuff in there, but it can never harm to re-connect those synapses. As I have just started a day ago and it’s already Friday, there is not too much to share this week. I basically have just learned about how cookies work and thought I share.

What are Cookies exactly?

I’m just going to save you from a stupid cookie joke at this point. Cookies generally have a large number of uses. In most cases, they are used for session management and advertising (tracking cookies).

Why we use Cookies?

HTTP is stateless. That means, we need Cookies to keep track of things. Those things include but are not limited to:

Items in a shopping cart, who you are, what you have done on the website so far, authentication information, etc.

Cookie Properties

Cookies have certain properties, see below.

  • A name
    • To identify the cookie
  • A value
    • That’s where data is stored
  • An expiration date
    • When the browser get’s rid of the cookie (ex. 30 days)
  • Path
    • That determines what requests cookies will be sent with

Cookies are typically set in the response headers by the server with (“Set-Cookie”), but they can also bet set from JavaScript.

When you log into a website, you are given a session token. This token allows the server to differentiate your requests from another user’s. As you probably know, cookies can be stolen to impersonate someone else.

Manipulating Cookies

To understand how cookies work, we need to know how to manipulate them. There are a gazillion way to manipulate cookies, let me quickly show you two. In this example I use Adam Langley’s excellent CTFChallenge.co.uk website.

Using Developer Tools

In Chrome, you can just press F12 and go to Application and select Cookies in the left pane. In FireFox it is also F12 and then you find the Cookies within the Storage tab.

Here, I could just double-click inside of the Cookie string, change it, and send the request again with another cookie.

How Cookies Work Dev Tools

To be able to access VULNLTD’s site, you have to be logged in to Adam’s CTFChallenge.co.uk.

Hence, if I open the same website inside of a incognito window, I am not able to access the site, due the lack of the cookie:

How Cookies Work Dev Tools

If I now go ahead and copy the cookie from the left window (the logged in session) to the right, unauthenticated window and hit F5 to refresh:

How Cookies Work Browser

Voila, we are in. You get the gist of it I guess?

Using Curl

We can also use Curl with cookies. To do that, we need the name of the cookie and it’s value. We know which is which by simply looking at the tab in dev tools.

How Cookies Work

Let’s try to send a GET request to Adam’s challenge without being authenticated.

curl <http://www.vulnrecruitment.co.uk/>
How Cookies Work Curl

Huh, didn’t work? Of course not! But Adam gives us a hint. Let’s try that again:

curl -H "Cookie: ctfchallenge=MyCookie" <http://www.vulnrecruitment.co.uk/>
How Cookies Work Curl

Awesome! Now we also know that Adam doesn’t like to write CSS and uses Bootstrap. I think that should get the point across.

Other tools to modify and send cookies with

  • Burp Suite
  • Postman
  • Curl
  • Browser Dev Tools
  • Probably tons of other tools

Now you should know how cookies work.

Conclusion

Ah, writing that was fun! I am excited to get back to this after taking a break. I think if you are a Bug Bounty beginner, now is the right time to jump in, as I start from the beginning again as well. Those posts will be weekly on Fridays.

Check out older episodes of The Bug Bounty Diaries here.

The Best Way to stay Up-to-Date with my Content

Tell us what you think!

This site uses Akismet to reduce spam. Learn how your comment data is processed.