As a Pen Tester, you will always check the logic of cookie to seeking a way to crack the website.
Cookie is a common and essential part of the session control for
the website, however, not all of the developers could understand how
the hacker will take the advantange of their cookies.
The most simple way is to just install a cookie editor such as the
extension of Firefox "Add N Edit Cookies" and then start to enumerate
the values of the cookie.
There maybe some cookies created with a understandable name and
set with a clear meaning value. You may want to change the value of the
cookie that named login_id or login_name to see who will you be after
reloading your browser.
You may want to delete the cookie one after one to check which is the one that manages the session.
There are a lot of chances that the cookies values are encoded by
some encrption algorithm. So you may want to encode some keywords such
as Username, Login ID, Password and compare the hash to the cookie
values.
Don't forget to check the possibility of the SQL Injection. You
may want to put the special characters for SQL injection test into the
value of cookies.
Viva Cookie!
文章標籤
全站熱搜
