🍪CookieMonster is a command-line tool and API for decoding and modifying vulnerable session cookies from several different frameworks.

🍪 CookieMonster

CookieMonster is a command-line tool and API for decoding and modifying vulnerable session cookies from several different frameworks. It is designed to run in automation pipelines which must be able to efficiently process a large amount of these cookies to quickly discover vulnerabilities. Additionally, CookieMonster is extensible and can easily support new cookie formats.

It's worth emphasizing that CookieMonster finds vulnerabilities in users of frameworks, usually not in the frameworks themselves. These users can resolve vulnerabilities found via CookieMonster by configuring the framework to use a strong secret key.

Features

  • Decodes and unsigns session cookies from Laravel, Django, Flask, Rack, and Express, and also handles raw JWTs.
  • Rapidly evaluates cookies; ignores invalid and unsupported cookies, and quickly tests those that it can.
  • Takes full advantage of Go's fast, native implementations for hash functions.
  • Intelligently decodes URL-encoded and Base64-encoded cookies (i.e. the Base64 of a JWT) when the initial decoding fails.
  • Supports many algorithms for HMAC-based decoders, even if the framework typically only uses one.
  • Flexible base64-encoded wordlist format allows any sequence of bytes key to be added as an entry; ships with a reasonable default list.
Framework Supported Notes
JSON Web Tokens HS256, HS384, HS512
Django Common algorithms
Flask Common algorithms
Rack Common algorithms
Express (cookie-signer) Common algorithms
Laravel AES-CBC-128/256 (GCM not yet supported)
Others Not yet!

Getting Started

To install CookieMonster, install Go and then install the CLI:

go install github.com/iangcarroll/cookiemonster/cmd/cookiemonster@latest

CookieMonster only needs two essentials: a cookie to try and unsign, and a wordlist to use. If you don't have a wordlist, CookieMonster ships with a default wordlist from the Flask-Unsign project. CookieMonster wordlists are a bit different; each line must be encoded with base64. This is because Python projects are especially liberal with inserting garbage bytes into these keys, and we need to be able to properly handle them.

An example of using the CLI:

% ./cookiemonster -cookie "gAJ9cQFYCgAAAHRlc3Rjb29raWVxAlgGAAAAd29ya2VkcQNzLg:1mgnkC:z5yDxzI06qYVAU3bkLaWYpADT4I"

🍪 CookieMonster 1.0.0
ℹ️ CookieMonster loaded the default wordlist; it has 38921 entries.
✅ Success! I discovered the key for this cookie; it is: changeme

Express support

CookieMonster is capable of supporting cookies signed with cookie-session, which is common with Express. However, it does several strange things that require care in order to use this tool. A common response from a cookie-session application looks like this:

set-cookie: session=eyJhbmltYWxzIjoibGlvbiJ9
set-cookie: session.sig=Vf2INocdJIqKWVfYGhXwPhQZNFI

In order to pass this into CookieMonster, you must include both the cookie name and the signature cookie. In this example, you would call CookieMonster like this: cookiemonster -cookie session=eyJhbmltYWxzIjoibGlvbiJ9^Vf2INocdJIqKWVfYGhXwPhQZNFI (note the delimiting ^ and the prefixed cookie name). The API accepts this same format in monster.NewCookie.

Resigning support

CookieMonster has limited support for resigning a cookie once it has been unsigned, with the -resign flag. This involves modifying the body of the cookie to match your input, and then re-computing the signature with the key we discovered. Currently, you can do this for Django-decoded cookies; ensure you pass the original cookie to -cookie, and pass -resign an unencoded string of text you'd like to be inside the cookie. CookieMonster will correctly encode your input and then resign the cookie.

API usage

CookieMonster exposes pkg/monster, which allows other applications to easily take advantage of it. This is much more performant than booting the CLI if you are testing many cookies. An example usage of it is below.

import (
    "github.com/iangcarroll/cookiemonster/pkg/monster"
)

var (
	//go:embed wordlists/my-wordlist.txt
	monsterWordlist string

	wl = monster.NewWordlist()
)

func init() {
	if err := wl.LoadFromString(monsterWordlist); err != nil {
        panic(err)
    }
}

func MonsterRun(cookie string) (success bool, err error) {
	c := monster.NewCookie(cookie)

	if !c.Decode() {
		return false, errors.New("could not decode")
	}

	if _, success := c.Unsign(wl, 100); !success {
		return false, errors.New("could not unsign")
	}

	return true, nil
}

Credits

CookieMonster is built with inspiration from several sources, and ships with the excellent Flask-Unsign wordlists.

Owner
Ian Carroll
Ian Carroll
https://github.com/iangcarroll/cookiemonster https://ian.sh/cookiemonster
Similar Resources

Validate Django auth session in Golang

GoDjangoSession Valid for django 3.0.5 Usage: package main import ( "encoding/base64" "fmt" "session/auth" "github.com/Kuzyashin/GoDjangoSession"

Aug 23, 2022

Auth Middleware for session & white-listed routing

Auth Middleware for session & white-listed routing

Nov 4, 2021

A command-line tool to visualize a JWT token's content, written in Go

jat A command-line tool to visualize a JWT token's content, written in Go. Usage jat some-jwt Install Navigate to the Releases page; Download the co

Jan 6, 2022

A command-line tool to generate a DoorDash Developer JWT

make-doordash-jwt This simple CLI tool takes a DoorDash Access Key (a JSON object comprised of a developerId, key_id, and signing_secret) and creates

Feb 2, 2022

Bui api login - Bui api login in golang

bui-api-login Project setup go mod tidy -compat=1.17 .env.local OAUTH2_REDIRECT

Jan 7, 2022

Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.

❗ Cache package has been moved to libcache repository Go-Guardian Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to

Dec 23, 2022

Create the Provider for Zoom API and automate the creation of zoom user using terraform.

Create the Provider for Zoom API and automate the creation of zoom user using terraform.

Sep 7, 2022

Backend Development Rest Api Project for book management system. Used Features like redis, jwt token,validation and authorization.

Golang-restapi-project Simple Rest Api Project with Authentication, Autherization,Validation and Connection with redis File Structure ├── cache │ ├──

May 25, 2022

rEST API to test JWT on RS256 and HS256 algorithm.

JWT Check - Mock para tests This repo is just a simple example of JWT token generation using RS256 algorithm and HS256 algorithm. This api is responsi

Aug 19, 2022
Comments
  • malformed module path

    malformed module path "embed" missing dot in first path element

    When using go install github.com/iangcarroll/cookiemonster/cmd/cookiemonster@latest

    we get can't load package: package github.com/iangcarroll/cookiemonster/cmd/cookiemonster@latest: can only use path@version syntax with 'go get'

    And when using go get github.com/iangcarroll/cookiemonster/cmd/cookiemonster@latest

    we get build github.com/iangcarroll/cookiemonster/cmd/cookiemonster: cannot load embed: malformed module path "embed": missing dot in first path element

    • Is this something I'm doing wrong on my end or this has to do with cookiemonster?
    • How can I fix this and start using cookiemonster?
  • runtime/internal/sys

    runtime/internal/sys

    go version go1.17.1 linux/amd64

    go install github.com/iangcarroll/cookiemonster/cmd/cookiemonster@latest

    runtime/internal/sys

    /usr/local/go/src/runtime/internal/sys/stubs.go:9:7: PtrSize redeclared in this block /usr/local/go/src/runtime/internal/sys/arch.go:24:38: previous declaration /usr/local/go/src/runtime/internal/sys/stubs.go:10:24: undefined: Uintreg /usr/local/go/src/runtime/internal/sys/stubs.go:16:7: StackGuardMultiplier redeclared in this block /usr/local/go/src/runtime/internal/sys/arch.go:27:74: previous declaration

  • DOCSs / Implement URL parsing by cookiemonster itself

    DOCSs / Implement URL parsing by cookiemonster itself

    Hello, iangcarroll, big thanks for your project and contribution!

    As far as i understand now your project requries a specific cookie or url with cookie in it.

    So first of all we need to get http body, parse it, parse cookies and their values and then for each cookie run the cookiemonster.

    You can't just pass URL into cookiemonster to parse all the cookies and try to decode them, right?

    My idea is : For example i've got 500 subdomains from amass then i pass them to httpx to get alive applications with their schemes and then pass those URLs to ffuf, gau and cookiemonster

    As I see now its not possible to make it that way and I need to implement body parsing and pass each cookie I've found from body, right? Because now cookiemonster -url "url" says: Sorry, I did not receive any cookies from that URL.

    Hope to hear your answer soon and thanks for your hard work!

Related tags
Authentication & OAuth cookiemonster
[DEPRECATED] Go package authcookie implements creation and verification of signed authentication cookies.

Package authcookie import "github.com/dchest/authcookie" Package authcookie implements creation and verification of signed authentication cookies. Co

Dec 22, 2022
Sign, encrypt and authenticate http cookies with golang
Sign, encrypt and authenticate http cookies with golang

ecookie sign, encrypt and authenticate cookies with golang... this package uses rabbit cipher to encrypt and blake2 hash function in order to authenti

Feb 3, 2022
Query browser cookies for golang

browser cookie query Only supported temporarily macOS,theoretically,it supports all chromium browsers valid browser : Edge Chrome Installation exec go

Dec 12, 2021
Package gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends.

sessions gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends. The key features are: Simple API: us

Dec 28, 2022
An imaginary authentication and session tracking service that is defined in this Apiary

Userland This repository contains impelementation of "Userland" on boarding project Userland is an imaginary authentication and session tracking servi

Dec 5, 2021
Advent of Code Input Loader, provide a session cookie and a problem date, returns a string or []byte of the input

Advent of Code Get (aocget) A small lib to download your puzzle input for a given day. Uses your session token to authenticate to obtain your personal

Dec 9, 2021
HTTP Session Management for Go

SCS: HTTP Session Management for Go Features Automatic loading and saving of session data via middleware. Choice of server-side session stores includi

Jan 1, 2023
Go session management for web servers (including support for Google App Engine - GAE).

Session The Go standard library includes a nice http server, but unfortunately it lacks a very basic and important feature: HTTP session management. T

Oct 10, 2022
Straightforward HTTP session management

sessionup ?? Simple, yet effective HTTP session management and identification package Features Effortless session management: Initialization. Request

Oct 10, 2022
Go (lang) HTTP session authentication

Go Session Authentication See git tags/releases for information about potentially breaking change. This package uses the Gorilla web toolkit's session

Dec 22, 2022