0

I am not a developer, so please forgive my ignorance. Can someone explain why some cookies can be manipulated and submitted via Burpsuite proxy and some cannot? Is there something in JS (or whatever language) that checks against tampering? If so, can this be defeated?

Example: if I'm using Burpsuite during a penetration test, I can change the cookie value from NotAnAdmin to Admin. Sometimes this will work, and sometimes the server will still respond as if I did not make any changes and use the cookie as if it still said NotAnAdmin.

I have tried this with hashes as well, where I will try to swap out a hash or token or something to another one, but the site responds with the original token it generated or changes it back somehow and does not use the one I put in manually.

Improve this question
4
  • 1
    The fact that you're changing a cookie in the HTTP request doesn't make your browser aware that the cookie value changed and it will send the old value again in the next request. Commented May 18, 2018 at 15:57
  • That makes sense... but I still don't understand why sometimes it would work and sometimes it would not? What's that based on? Commented May 18, 2018 at 15:58
  • 1
    I guess it's hard to say without a concrete example. Sometimes the server may reflect the changed cookie back in a Set-Cookie header so your browser picks it up, sometimes it may not. Commented May 18, 2018 at 16:13
  • If you could elaborate a little and post as answer I'd accept it Commented May 18, 2018 at 16:16

1 Answer 1

Reset to default
0

I stumbled upon this answer from stack exchange regarding why some cookies can be altered and some cannot.

Some are "signed" cookies. They use a hash and other information to prevent tampering.

https://stackoverflow.com/questions/11897965/what-are-signed-cookies-in-connect-expressjs#11898142

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.