loading
loading
Vulnerabilities
Detect and abuse vulnerable implementations of stateless sessions.
overview
CookieMonster targets stateless sessions, the kind that pack their state into a signed cookie instead of a server-side store. Frameworks like Django, Flask, Rack/Rails, Laravel, and Express sign these cookies with a secret key, and when that key is weak, default, or leaked, the signature can be cracked offline. CookieMonster decodes a cookie, identifies the scheme behind it, and grinds a wordlist of candidate keys against the signature until one verifies.
Recover the key and you can resign a cookie with data of your choosing, which usually means privilege escalation or full account takeover. CookieMonster pulls a cookie straight from a URL, runs a high concurrency of attempts against the builtin 38,919-key wordlist or your own list, and resigns Django cookies with new payloads once a key lands. It also reads JSON Web Tokens signed with HS256, HS384, or HS512.
On Trickest, CookieMonster is a Vulnerabilities node that takes a URL or a cookie and writes a file and a folder of results. Wire it after a step that collects session cookies during testing to flag any app that signed them with a guessable secret.
use cases
Decode a signed session cookie and run a key wordlist against the signature to find apps using a default, dev, or otherwise guessable signing secret.
Once the key is recovered, resign a Django cookie with new data to prove privilege escalation or account takeover in a report.
Point CookieMonster at a URL with -url so it fetches the Set-Cookie session value itself instead of you pasting one by hand.
Feed cookies from Django, Flask, Rack, Express, Laravel, and JWT-based apps and let CookieMonster detect each scheme and try the same key list.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| cookie | STRING | -cookie | The cookie to attempt to decode and unsign. |
| url | STRING | -url | An HTTP URL to fetch the session cookie from instead of supplying one. |
| wordlist | FILE | -wordlist | Path to a base64-encoded key wordlist (default is the builtin list). |
| resign | STRING | -resign | Unencoded data to resign the cookie with (Django only). |
| concurrency | STRING | -concurrency | How many attempts run concurrently (default 100). |
| verbose | BOOLEAN | -verbose | Show additional output on how the cookie is decoded. |
Showing key inputs. cookiemonster exposes 6 inputs in total.
example
# pull the session cookie from a URL and crack its signing key against a custom listcookiemonster -url https://app.example.com/ -wordlist secret-keys.b64 -concurrency 200🍪 CookieMonster 1.3.0ℹ️ CookieMonster loaded the default wordlist; it has 38919 entries.ℹ️ CookieMonster fetched a session cookie from https://app.example.com/.✅ Success! I discovered the key for this cookie with the django decoder; it is "changeme".ℹ️ CookieMonster resigned your cookie with the recovered key.🍪 gAJ9cQFYBAAAAHJvbGVxAlgFAAAAYWRtaW5xA3Mu:1sXkQe:h3Kd0pR7nZ2xL0hJ6gguidance
Use CookieMonster when you have a signed session cookie and want to know whether its secret is crackable. It works on stateless, signed cookies, so it does not apply to opaque server-side session ids. For decoding and tampering with JWTs specifically, jwt-tool is the sharper fit.
Decodes and attacks JWTs specifically. CookieMonster covers signed cookies across several framework schemes.
General-purpose cracker. CookieMonster is purpose-built for the cookie-signing schemes and resigning.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
Accurately fingerprint and detect Netscaler and Citrix ADC versions vulnerable to CVE-2023-3519.
A target URL feeds CookieMonster, which pulls the session cookie, cracks its signing key against a wordlist, and writes the result as output.
Facts on this page come from the live Trickest tool library.