How to use a victim's cookie?

how to use cookies from a target
how to use cookies from a target

On the web, we often come across articles explaining how to retrieve a victim's cookies with sniffing tools or with the exploitation of XSS flaws. On the other hand, we never find the method to use the cookie.

Usually, a cookie is a small text file, which is stored by a website on your hard drive. This storage is carried out by your browser. This is used by the website you are visiting to recognize you. Also, when several days after your visit, you come back to the same site, it will ask for your cookie, and if it is still present on your hard drive, the website will read the information contained in the cookie and redirect you to your session without authentication.

The aim of the hacker is therefore generally to steal the victim's cookie in order to exploit its content.

In this article, we will see how to exploit and use the cookie. Assuming you have already retrieved a target's cookie using a sniffer or using a middle attack or perhaps by directly accessing a loved one's computer.

I have the victim's cookie but how can I use it?

For this you will need the following tools:

  • Greasemonkey
    Greasemonkey is an Addon for Firefox which allows you to use JavaScript scripts on different web pages.
  • cookie-injector
    Cookies Injector is a script that injects the cookie string into any web page.

Example of use

After installing the two tools, we will retrieve the cookie from a Facebook account on a chrome browser and inject it into the Firefox browser (it remains the same principle for the use of cookies from other websites).

To do this, please follow the steps below:

  1. Open your chrome browser then launch , enter the login and password
  2. Then type in the address bar the following code: "javascript: document.cookie" in order to recover the cookie from the facebook account
  3. Copy the displayed cookie
  4. Now open Facebook in the Firefox browser
  5. Type the following keys: ALT + C
  6. Paste the cookie in the text field

  7. Finally restart Facebook so you can access your session on the Firefox browser without having validated any username or password.

To access a target's session, change only your cookie to the victim's cookie. 🙂