A utility for automating the testing and re-signing of Express.js cookie secrets.
cookie-monster is available on npm. To install it, type:
$ yarn global add @digital-interruption/cookie-monster
Alternatively, to install from source:
$ git clone https://github.com/DigitalInterruption/cookie-monster
$ cd cookie-monster
$ yarn install
$ yarn link
After installation, the cookie-monster executable will be available, and accepts the following arguments:
-b, --batch Enable batch mode.
-c, --cookie string The session cookie to use when not using batch mode.
-e, --encode Enable encode mode.
-h, --help Print this usage guide.
-f, --input-file file The JSON file with the cookie data to analyse in batch mode / the JSON data
to be encoded in encode mode.
-n, --name string The cookie name to use when not using batch mode. (default: session)
-o, --output file The file to output the results to.
-p, --port number The port to bind the local test server to. (default: 3000)
-k, --secret string The secret key to use when using encode mode.
-s, --signature string The value of the session signature cookie to use when not using batch mode.
-v, --verbose Output verbose messages on internal operations.
-w, --wordlist file The wordlist to use as a source of possible cookie secrets.
When testing cookies in batch mode, the input file must follow a specific format. The file must contain a JSON array of objects, each of which should contain the following:
name: the name of the session cookiesamples: an array of cookie samples
The cookie sample objects should consist of the following:
ip: the IP address of the host the cookie was obtained fromport: the port of the service the cookie was obtained fromdata: the contents of the session cookiesig: the contents of the signature cookie.
A sample file can be found below:
[
{
"name": "session",
"samples": [
{
"ip": "127.0.0.1",
"port": 3000,
"data": "eyJmb28iOiJiYXIifQ==",
"sig": "LVMVxSNPdU_G8S3mkjlShUD78s4"
},
{
"ip": "127.0.0.1",
"port": 443,
"data": "eyJmb28iOiJiYXIifQ==",
"sig": "LVMVxSNPdU_G8S3mkjlShUD78s4"
}
]
},
{
"name": "cookieName",
"samples": [
{
"ip": "127.0.0.1",
"port": 3000,
"data": "eyJmb28iOiJiYXIifQ==",
"sig": "LVMVxSNPdU_G8S3mkjlShUD78s4"
},
{
"ip": "127.0.0.1",
"port": 443,
"data": "eyJmb28iOiJiYXIifQ==",
"sig": "LVMVxSNPdU_G8S3mkjlShUD78s4"
}
]
}
]$ cookie-monster -c eyJmb28iOiJiYXIifQ== -s LVMVxSNPdU_G8S3mkjlShUD78s4
$ cookie-monster -c eyJmb28iOiJiYXIifQ== -s LVMVxSNPdU_G8S3mkjlShUD78s4 -n session
$ cookie-monster -c eyJmb28iOiJiYXIifQ== -s LVMVxSNPdU_G8S3mkjlShUD78s4 -w custom.lst
$ cookie-monster -b -f cookies.json
$ cookie-monster -b -f cookies.json -w custom.lst
$ cookie-monster -c eyJmb28iOiJiYXIifQ== -s LVMVxSNPdU_G8S3mkjlShUD78s4 -o results.json
Note: the file created by the -o option will be a JSON file, containing an array of all secrets that were successfully identified; along with information to identify their source.
A sample results file can be found below:
[
{
"name": "session",
"data": "eyJmb28iOiJiYXIifQ==",
"sig": "LVMVxSNPdU_G8S3mkjlShUD78s4",
"ip": "127.0.0.1",
"port": 3000,
"decodedData": "{\"foo\":\"bar\"}",
"secret": "keyboard cat"
},
{
"name": "session",
"data": "eyJmb28iOiJiYXIifQ==",
"sig": "LVMVxSNPdU_G8S3mkjlShUD78s4",
"ip": "127.0.0.1",
"port": 443,
"decodedData": "{\"foo\":\"bar\"}",
"secret": "keyboard cat"
}
]$ cookie-monster -e -f new_cookie.json -k secret
Note: The input file must contain the raw cookie data, not the base64 data. In this example, new_cookie.json would not contain ewogICJmb28iOiAiYmFyIgp9Cg==, but would contain:
{
"foo": "bar"
}The output from cookie-monster will then provide both encoded cookies which can be copied directly into a HTTP request:
[+] Data Cookie: session=eyJmb28iOiJiYXIifQ==
[+] Signature Cookie: session.sig=YyeDeoG1AwlyHWZWt1MIMum4dZg
For more information on this type of attack, see our blog post and whitepaper.