If the **cookie **is using some **Base encoding **(like Base64) or similar you may be able to **decode it**, **change **the **content **and **impersonate **arbitrary users.
Steal a cookie and use it to impersonate the user inside an application
### Session fixation
The attacker get a cookie from a web page and send to the victim a link so the victim logins using the cookie of the attacker. If the cookie is not changed when a user logs in, this could be useful because the attacker could be able to impersonate the user using the cookie.
### Session donation
The attacker sends his own session to the victim. The victim will see that he is already loged and will suppose that he is inside his own account but the actions will be performed inside the attackers account.
### [JWT Cookie](hacking-jwt-json-web-tokens.md)
Click on the previous link to access a page explaining possible flaws in JWT.
* Check if the cookie has any information in it and try to modify it
* Try to create several accounts with almost the same username and check if you can see similarities.
* Check "**remember me**" option if it exists and check how does it works. If it exists and could be vulnerable, always use the cookie of **remember me** without any other cookie.
* If you change the password and previous cookie still works
If the cookie remains the same (or almost) when you log in, this probably means that the cookie is related to some field of your account (probably the username). Then you can:
* Try to create a lot of **accounts** with usernames very **similar** and try to **guess** how is working the algorithm
* Try to **bruteforce the username**. If the cookie saves only as authentication method your username, then you can create an account with username "**Bmin**" and **bruteforce** every single **bit** of your cookie because one of the cookies that you will try will the one belonging to "**admin**".
If the attack has been successfully performed, then you could try to encrypt a string of your choice. For example, if you would want to **encrypt****user=administrator**
This execution will give you the cookie correctly encrypted and encoded with the string **user=administrator** inside.
**CBC-MAC**
Maybe a cookie could have some value and could be signed using CBC. Then, the integrity of the value is the signature created by using CBC with the same value. As it is recommended to use as IV a null vector, this type of integrity checking could be vulnerable.
**The attack**
1. Get the signature of username **administ** = **t**
2. Get the signature of username **rator\x00\x00\x00 XOR t** = **t'**
Create a user called form example "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" and check if there is any pattern in the cookie (as ECB encrypts with the same key every block, the same encrypted bytes could appear if the username is encrypted).
There should be a pattern (with the size of a used block). So, knowing how are a bunch of "a" encrypted you can create a username: "a"\*(size of block)+"admin". Then, you could delete the encrypted pattern of a block of "a" from the cookie. And you will have the cookie of the username "admin".
*`Expires` sets an expiry date for when a cookie gets deleted
*`Max-age` sets the time in seconds for when a cookie will be deleted **(use this, it’s no longer 2009)**
### **Domain**
The `Domain` attribute specifies **which hosts can receive a cookie**. If unspecified, the attribute **defaults **to the** same host** that set the cookie, _**excluding subdomains**_. **If `Domain` **_**is**_** specified, then subdomains are always included**. Therefore, specifying `Domain` is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.
For example, if you set `Domain=mozilla.org`, cookies are available on subdomains like `developer.mozilla.org`. But if you don't, the cookie won't be sent to subdomains.
### **Path**
The `Path` attribute indicates a **URL path that must exist in the requested URL in order to send the `Cookie` header**. The `%x2F` ("/") character is considered a directory separator, and subdirectories match as well.
**Notice that from Chrome80 (feb/2019) the default behaviour of a cookie without a cookie **_**samesite **_**attribute will be lax **([https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/](https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/)). Notice that temporary, after applying this change, the **cookies without a SameSite****policy** in Chrome will be **treated as None during the first 2 minutes and then as Lax**.
* This could be Bypassed with **TRACE****HTTP** requests as the response from the server (if this HTTP method is available) will reflect the cookies sent. This technique is called **Cross-Site Tracking**.
* This technique is avoided by **modern browsers by not permitting sending a TRACE **request from JS. However, some bypassed to this have been found in specific software like sending `\r\nTRACE` instead of `TRACE` to IE6.0 SP2.