Home > Website Pentesting

Cookie manipulation

Cookie manipulation involves analyzing, modifying, forging, or replaying cookies to bypass authentication, escalate privileges, impersonate users, or access restricted functionality. Because cookies often store session identifiers, user preferences, roles, and state information, insecure cookie design becomes a direct attack surface. When applications trust cookies without proper validation, attackers can alter them to gain unauthorized access.

Understanding Cookies in Web Applications

Cookies store data that the browser sends with every request to the server. Authentication and session handling rely heavily on them.

Cookies can contain:

  • Session IDs

  • JWT tokens

  • Role identifiers

  • User preferences

  • Temporary states

  • CSRF tokens

If the application does not validate or secure cookie contents properly, cookies become easy to manipulate.

How Cookies Are Stored and Transmitted

When a user logs in, the server returns:

Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Lax

The browser stores it and includes it in every request:

Cookie: session=abc123

Weaknesses arise when:

  • The cookie contains sensitive data

  • The cookie is editable on the client side

  • Cookie flags are missing

  • Integrity is not enforced

Cookies must be treated as untrusted client input at all times.

Common Cookie Manipulation Vulnerabilities

Modifying Role or Privilege Values

Many applications store roles inside cookies:

role=user

Attackers modify it:

role=admin

If the server does not validate roles server-side, privilege escalation occurs.

Base64-Encoded Cookie Manipulation

Developers often encode values using Base64, assuming it "hides" data.

Example cookie:

dXNlcj1hZG1pbg==

Decoding reveals:

user=admin

An attacker can re-encode modified values and impersonate administrators.

JSON Cookie Manipulation

Modern apps use JSON-based cookies:

{"user":"mayur","role":"user","premium":false}

If not signed, attackers modify it to:

{"user":"mayur","role":"admin","premium":true}

If the server trusts the cookie, role escalation is immediate.

JWT Manipulation

JWT tokens contain encoded claims:

{"username":"user","role":"user"}

If the server:

  • Accepts “alg”: "none"

  • Does not verify signatures

  • Uses weak signing keys

Then attackers can forge or modify tokens.

Insecure Cookie Storage

Cookies containing sensitive information such as:

  • Passwords

  • API tokens

  • Personal data

  • Session identifiers

This allows attackers to extract or reuse them.

Missing Integrity Protection

If the server does not use:

  • HMAC

  • Signatures

  • Validation mechanisms

Then cookie manipulation becomes trivial.

Missing Cookie Flags and Their Exploitation

Missing HttpOnly

If HttpOnly is missing:

Set-Cookie: session=abc123

Javascript can read it:

document.cookie

XSS becomes a session-stealing vector.

Missing Secure

If Secure is missing:

Set-Cookie: session=abc123; HttpOnly

Cookies are transmitted over plain HTTP. Attackers on the same network sniff them.

Missing SameSite

Without SameSite:

Set-Cookie: session=abc123; Secure; HttpOnly

The application becomes vulnerable to CSRF.

Overly Permissive Path/Domain

Example:

Set-Cookie: role=user; Path=/

If subdomains share cookies, attackers can manipulate them through a less secure subdomain.

Practical Cookie Manipulation Techniques

Inspecting Cookies with Browser DevTools

Open DevTools → Application → Cookies.

Example cookie:

sessionid=FKhL39af29skl3k29d
role=user
premium=false

Any editable cookie is a potential attack target.

Editing Cookies in DevTools

Modify values directly:

Change:

role=user

to:

role=admin

Reload the page to see if privilege escalation occurs.

Intercepting Cookies with Burp Suite

Capture a request:

Cookie: role=user; session=abc123

Edit and forward:

Cookie: role=admin; session=abc123

If the response changes, the application trusts the manipulated cookie.

Base64 Manipulation

Decode:

echo dXNlcj1hZG1pbg== | base64 -d

Modify and re-encode:

echo "user=admin" | base64

Replace cookie. Test again.

JWT Manipulation

Decode JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Use tools like jwt.io to modify claims:

Change:

"role": "user"

to:

"role": "admin"

If server does not validate signature → full compromise.

Cookie Replay Attacks

Use stolen cookies intercepted through:

  • XSS

  • Man-in-the-middle

  • Logs

  • Exposed URLs

Replay them:

curl -H "Cookie: session=abc123" https://target.com/dashboard

If access is granted → session hijacking vulnerability.

Detecting Cookie Manipulation Flaws

Modify Cookie Values

Force privilege escalation:

  • Change role

  • Change user ID

  • Set flags to true

Test for Server-Side Validation

Send malformed cookies:

Cookie: role=admin; session=invalid

If you still get authenticated content, validation is weak.

Test Expired or Old Cookies

Reuse old cookies from earlier sessions.

If they still work → session invalidation flaw.

Tamper Structures

Modify JSON cookies:

{"user":"mayur","role":"admin","is_premium":true}

If accepted without server checks → vulnerable.

Check for Cookie Signing

Unsigned cookies:

role=admin

Signed cookies:

role=admin.signaturehash

Unsigned cookies are inherently vulnerable.

Real-World Examples of Cookie Manipulation

Role Escalation

Original cookie:

role=user

Attacker changes:

role=admin

No server validation → admin access.

Premium Feature Bypass

Cookie:

premium=false

Attacker sets:

premium=true

Unlocks paid functionality.

Session Forgery

Cookie:

session=userid123

If session IDs contain user IDs, attackers can forge:

session=userid001

Gain unauthorized access.

JWT Bypass

JWT with:

"alg": "none"

Attacker modifies token freely.

Impact of Cookie Manipulation

Cookie manipulation leads directly to:

  • Account takeover

  • Privilege escalation

  • Bypassed authentication

  • Stolen sessions

  • Payment feature bypass

  • Administrative access

  • Full system compromise

Any application trusting client-side cookie data is critically vulnerable.

Intel Dump

  • Cookie manipulation targets weak, insecure, or unvalidated cookie values.

  • Roles, privileges, and session data stored client-side can be modified.

  • Missing cookie flags (HttpOnly, Secure, SameSite) allow theft or abuse.

  • Base64, JSON, and JWT cookies can be decoded and altered without protection.

  • Lack of integrity checks enables forged or modified cookies.

  • Cookie replay, fixation, and hijacking occur when session validation is weak.

  • Cookie manipulation results in privilege escalation and full account compromise.

HOME LEARN COMMUNITY DASHBOARD