Ad Home

What is Cookies? | Cookies Hacking | Hack Computer and Any Password With Cookies |

What is Cookies? | Cookies Hacking | Hack Computer and Any Password With Cookies |

What is Cookies?

A cookie is information that a Web site puts on your hard disk.  (More technically, it is information for future use that is stored by the server on the client side of a client/server communication.) Typically, a cookie records your preferences when using a particular site. Using the Web's Hypertext Transfer Protocol (HTTP), each request for a Web page is independent of all other requests. For this reason, the Web page server has no memory of what pages it has sent to a user previously or anything about your previous visits. A cookie is a mechanism that allows the server to store its own information about a user on the user's own computer. You can view the cookies that have been stored on your hard disk.

How to Hack Cookies!

Cookies commonly include sensitive information associated with authentication. If the cookie contains passwords or session identifiers, stealing the cookie can be a very successful attack against a web site. There are several popular methods used to steal cookies, with the most popular being script injection and eavesdropping.

Reverse engineering the cookie offline is a very productive attack. The best path is to gather a sample of cookies using different input to see how the cookie changes. This can be done by using different accounts to authenticate at different times. The idea is to see how the cookie changes based on time, username, access privileges, and so on. Bit-flipping attacks adopt the brute-force approach, methodically modifying bits to see if the cookie is still valid and whether different access is gained.

Before embarking on attacks on cookie values, care should be taken to first understand any encoding used and whether the cookie requires to be decoded for the attack to be successful. One general mistake made by application developers is to use an encoding format, such as Base64, when encryption is required.

This mistake is sometimes noticed in applications caching role data in the cookie for performance purposes. Because Base64 is easily decoded, an attacker can decode the cookie value, change it then re-encode the cookie value to probably change his or her assigned position and obtain access to the application. Tools such as the Burp web proxy have great support for manipulating cookies and encoding, decoding, and hashing values using standard algorithms.