Home > Website Pentesting

Cookie & Token Security

Cookies and tokens are the backbone of web authentication and session management. When implemented securely, they maintain user identity and access. When implemented poorly, they become one of the most dangerous attack surfaces, enabling account takeover, privilege escalation, authentication bypass, CSRF, and session hijacking. Understanding how cookies and tokens work—and how attackers abuse them—is essential for securing modern web applications.

Cookies store session identifiers and preferences, while tokens (JWT, OAuth tokens, API tokens) store identity and authorization data. Any leakage, tampering, or misuse leads to complete compromise of user accounts.

Understanding Cookies

Cookies are small pieces of data stored in the browser and sent automatically with every request to a domain. They often store:

  • session IDs

  • authentication state

  • user roles

  • CSRF tokens

  • preferences

  • tracking information

If attackers access or modify a cookie, they gain control over the user’s session.

Common Cookie Vulnerabilities

1. Missing HttpOnly Flag

HttpOnly prevents JavaScript from reading cookie values.

If missing:

document.cookie

allows attackers (via XSS) to extract session IDs.

2. Missing Secure Flag

Secure forces cookies to be sent only over HTTPS.

If missing, cookies travel in plaintext over HTTP:

  • leaked via network sniffing

  • captured in MITM attacks

3. No SameSite Attribute

SameSite controls cross-site cookie behavior.

If not set, cookies are vulnerable to CSRF attacks.

Common unsafe default:

SameSite=None without Secure

Some browsers reject the cookie; others send it insecurely.

4. Weak or Predictable Session IDs

If session IDs follow patterns:

SID=1001
SID=1002

Attackers guess other users’ sessions.

5. Storing Sensitive Data in Cookies

Examples:

role=admin
isLoggedIn=true
user=jsonEncodedAuthData

If cookies store privileges or identity directly, attackers modify them for authentication bypass.

6. Unencrypted Cookies

Cookies storing sensitive data in plaintext become easy to tamper:

auth=Ym9iOnVzZXI=

Base64 ≠ encryption.

7. Cookie Injection

If applications reflect user input in headers:

Set-Cookie: session=123; path=/;userInput

Attackers inject their own cookies for session fixation.

8. Cookie Scope Misconfiguration

Cookies with:

Domain=.example.com

are sent to all subdomains.

Any vulnerable subdomain can steal cookies for the entire site.

Secure Cookie Attributes

HttpOnly

Prevents JavaScript access.

Secure

Allows cookie transmission only over HTTPS.

SameSite

Controls cross-site behavior:

  • Lax → safe default

  • Strict → requires first-party context

  • None → must use Secure

Path

Restricts cookie to certain URLs.

Domain

Restricts cookie to a specific domain or subdomain.

Expires/Max-Age

Controls session lifetime.

Cookies and Session Attacks

Session Hijacking

Occurs when attackers steal session cookies:

  • XSS

  • network sniffing

  • insecure HTTP

  • browser plugins

  • compromised subdomains

Session Fixation

Attacker sets a session ID before login:

  • redirects user with predefined cookie

  • user logs in

  • attacker reuses fixed cookie to access account

Session Replay

If server doesn’t expire old sessions, attackers reuse token/cookie captured earlier.

Session Timeout Issues

If sessions never timeout or timeout too slowly, attackers keep prolonged access.

Understanding Tokens

Tokens represent authentication or authorization data. Common types:

JWT (JSON Web Token)

Contains:

  • header

  • payload (claims)

  • signature

Example:

eyJhbGciOi...payload...signature

OAuth Tokens

  • access tokens

  • refresh tokens

API Tokens

Used by mobile apps and APIs for authentication.

If leaked, attackers bypass login completely.

Common Token Vulnerabilities

1. Unsigned or Weakly Signed JWT

If JWT uses:

alg: none

Attacker creates arbitrary tokens:

{"role":"admin"}

2. Using Symmetric Keys Incorrectly

If HS256 is used but key is weak:

  • brute-force signature

  • forge tokens

3. Token Replay

Tokens reused indefinitely if not tied to:

  • IP

  • session

  • device

  • expiration

4. Long-Lived Tokens Without Expiry

Tokens with no expiry:

exp missing

remain valid forever.

5. Sensitive Data in Token Payload

JWT payloads are base64, not encrypted.

If they contain:

  • passwords

  • API keys

  • session IDs

  • internal environment data

Attackers decode and extract sensitive information.

6. Storing Tokens in localStorage

localStorage is accessible via any injected JavaScript.

XSS + localStorage = instant token theft.

7. Storing Tokens in URL

Example:

https://example.com?token=abc123

Leak via:

  • logs

  • analytics

  • browser history

  • referer headers

8. Refresh Token Misuse

Unprotected refresh endpoints let attackers regenerate access tokens repeatedly.

Practical Cookie Security Testing Workflow

Step 1: Inspect Set-Cookie Headers

Check for:

  • HttpOnly

  • Secure

  • SameSite

  • Domain scope

  • Path scope

Step 2: Attempt Cookie Tampering

Modify cookie values:

role=admin

If accepted → critical vulnerability.

Step 3: Test Session Fixation

Send predefined session cookies and check if server reuses them after login.

Step 4: Check Cookie Scope

Test if subdomains can access sensitive cookies.

Step 5: Test Cookie Injection

Inject into headers or values to create additional cookies.

Practical Token Security Testing Workflow

Step 1: Decode JWT

Use any decoder to inspect payload.

Look for:

  • admin fields

  • sensitive data

  • weak claims

Step 2: Modify JWT Payload

Change:

"role":"user"

to:

"role":"admin"

If accepted → broken signature or weak validation.

Step 3: Replace Token in Requests

Try:

  • expired tokens

  • forged tokens

  • unrelated tokens

  • empty tokens

Improper validation reveals weaknesses.

Step 4: Test Refresh Token Logic

Check if refresh endpoint issues tokens without validating:

  • old token

  • session

  • user identity

Step 5: Test Token Replay

Use older captured tokens.
If accepted → replay vulnerability.

Why Cookie & Token Vulnerabilities Occur

Causes include:

  • trusting client-side data

  • weak signature validation

  • no expiry or session timeout

  • insecure cookie attributes

  • storing sensitive data in localStorage

  • improper credential handling

  • relying on JWT for authorization without checks

Developers often forget that client-side storage is fully attacker-controlled.

Impact of Cookie & Token Security Failures

Cookie and token vulnerabilities cause:

  • full account takeover

  • privilege escalation

  • session hijacking

  • authentication bypass

  • impersonation

  • permanent access via stolen refresh tokens

  • unauthorized API use

  • financial loss

  • complete compromise of user identity

Cookies and tokens are the keys to the kingdom—if attackers obtain or tamper with them, the entire application is compromised.

Intel Dump

  • Cookies require Secure, HttpOnly, SameSite, and proper Domain/Path settings.

  • Missing or weak cookie attributes expose sessions to theft, fixation, and replay.

  • JWT vulnerabilities include weak signatures, long-lived tokens, missing expiry, and sensitive data in payloads.

  • Tokens stored in localStorage are vulnerable to XSS extraction.

  • Session fixation, cookie replay, and token tampering allow authentication bypass.

  • The impact includes account takeover, impersonation, and full system compromise.

HOME LEARN COMMUNITY DASHBOARD