Cookies are small pieces of information sent by a web server to the client (browser) to store some information locally, related to that specific user. In modern web applications, cookies are used to store user-specific data, such as color theme configuration, object arrangement preferences, previous activity, and (more importantly for us) the session identifiers.
In this recipe, we will use the browser's tools to see the cookies' values, how they are stored, and how to modify them.
Our vulnerable_vm needs to be running. 192.168.56.102 will be used as the IP address for that machine and we will use OWASP-Mantra as the web browser.
- Browse to
http://192.168.56.102/WackoPicko. - On Mantra's menu, navigate to Tools | Application Auditing | Cookies Manager +.
In the preceding image, we can see all the cookies stored at that time, and the sites they belong to, with this add-on. We can also modify their values, delete them, and add new ones.
- Select PHPSESSID from 192.168.56.102 and click on Edit.
- Change the Http Only value to Yes.
The parameter we just changed (Http Only) tells the browser that this cookie is not allowed to be accessed by a client-side script.
Cookies Manager+ is a browser add-on that allows us to view, modify, or delete existing cookies and to add new ones. As some applications rely on values stored in these cookies, an attacker can use them to inject malicious patterns that might alter the behavior of the page or to provide fake information in order to gain a higher level of privilege.
Also, in modern web applications, session cookies are commonly used and often are the only source of user identification once the login is done. This leads to the possibility of impersonating a valid user by replacing the cookie's value for the user of an already active session.