It's recommended to delete all cookies before doing this recipe. It may get confusing to have cookies from many different applications, as all of those applications are in the same server and all cookies belong to the same domain:
- Browse to http://192.168.56.11/WackoPicko/.
- We can use the Cookies Manager browser add-on to check the cookies' values and parameters. To do this, just click on the add-on's icon and it will display all cookies currently stored by the browser.
- Select any cookie, for example PHPSESSID from the domain 192.168.56.11, and double-click on it, or click Edit to open a new dialog to view and be able to change all of its parameters:
PHPSESSID is the default name of session cookies in PHP-based web applications. By looking at the parameter's values in this cookie, we can see that it can be sent by secure and insecure channels (HTTP and HTTPS) and that it can be read by the server and also by the client through scripting code, because it doesn't have the Secure (noticed by the Send For: Any type of connection parameter) and HTTP Only flags enabled. This means that the sessions in this application may be hijackable.
- We can also use the browser's Developer Tools to view and modify cookie values. Open the Developer Tools and go to Storage:
In this screenshot, we selected a cookie called session, which only has an effect over the WackoPicko directory in the server (given by the Path parameter); it will be erased when the browser is closed (Expires: "Session") and as with PHPSESSID, it doesn't have the HttpOnly and Secure flags enabled, hence it can be accessed via scripting (HttpOnly) and will be transmitted via either HTTP or HTTPS (Secure).