MiniCTF: Cookie Monster Secret Recipe

Cookies are unique pseudo-random generated IDs that are presented on subsequent requests to application to maintain proper authorization mechanism to resources after authentication. This is efficient as opposed to probing authentication on every instance.

Cookies thus act as a possible attack vector posed to applications if not well implemented. Within this lab, we see a demonstration of why it's important to secure our cookie values robustly.

On spawning the lab, we are presented with a login screen, with no possible means of creating an account. It becomes second nature to enter random credentials to see the outcomes. A message pops out afterwards stating that credentials are obsolete, and session cookies are only of use.

With this message, one opts to look at the cookie values presented. I used Burpsuite to study the application and noticed a cookie value sent as a response value to the client side. From there is was a matter of URL and Base64 decoding after detecting indicators of the encoding schemes('%3D' and '==' respectively)

It is important to ensure that cookie values are securely generated and appropriately formatted so they do not expose sensitive information or become susceptible to prediction or tampering. Additional cookie attributes, such as HttpOnly, Secure, and SameSite, can be used to control how cookies are handled by browsers and transmitted in both same-site and cross-site requests, helping to strengthen the overall security of web applications.