6.2.3 Session Hijacking via Cookie Tampering

Cookie tampering is a method in which the attacker manipulates or modifies the information of the stored data on a web browser. This includes all types of data like personal information (name, number, address), and credentials for certain websites, or it can be the settings for specific websites. it is intended to steal valuable information from users.

We can capture a cookie (usually encoded in Base64) using Burp Suite,

and decode it in plain text using Decoder:

Seeing it, we quickly understand that we're log in, and we've not admin permission, then we can change value of admin to 'True' and encoding again it in Base 64:

Now that we've setted session id with admin privileges, we can use repeater to use this custom session id value and login in into privileged account.

Previous6.2.2 Session Fixation Next6.2 CSRF

Last updated 5 months ago