Skip to main content

Foundstone CookieDigger

Download Binaries -

Download User Guide -

For the Less Impatient

CookieDigger, designed by Foundstone, is a free tool to help identify
weak cookie generation and usage by web applications. The tool works by
collecting and analyzing cookies issued by a web application for
multiple users.

The tools functionality can be divided into 3 broad categories.
1. Cookie Collection
2. Cookie Analyses
3. Results

Average Length of the Cookie: If the average cookie length of the cookie
that is used as an authenticator is small then it would take fewer brute
force attempts to hijack another users session. On a popular site we
can assume many users to be logged in at the same time, therefore the
chances of a successful brute force attempt is high.

Character Set of the Cookie: The character set employed in the
generation of cookie value plays an important role in the determining
the strength of the authenticator. For any given cookie length, a large
character set increases the strength of the authenticator exponentially.
If the attacker can determine the character set employed by the
application, the brute force attempts can be crafted more efficiently.
The combination of the length of the cookie and the character set used
determines the strength of the authenticator.

Critical Information: The tool checks the cookie values set by the
application to see if any of the cookies contains the usernames or
password values in it. The check is performed on both the plain text
value of the cookie and on the base64 decoded value of the cookie. Other
common useful information passed in the cookie values are account
numbers, names, privilege levels, etc.

Entropy of the Cookies: The tool compares the different values of the
cookie values to check how many characters are changing for every
subsequent login. If the cookie value remains the same on subsequent
logins, it shows that the algorithm used for generating the cookies is
vulnerable to chosen plain text attacks. Furthermore, if the cookie
values remain the same on subsequent logins it gives the attacker longer
periods of time to perform the brute forces attempts.
Post a Comment

Popular posts from this blog

Compact and Repair an Access Database. Add Ref. to : AdoDb, Jro

< ?xml version="1.0" encoding="utf-8" ?>

using ADODB;
using JRO;
using System.Configuration;
using System.Data.OleDb;
using System.IO;

public class CompactAndRepairAccessDb : System.Windows.Forms.Form
private System.ComponentModel.Container components = null;
private JRO.JetEngine jro;
private System.Windows.Forms.Button btnConfirm;
private System.Windows.Forms.TextBox tbxOriginalDbSize;
private System.Windows.Forms.TextBox tbxCompactedDbSize;
private OleDbConnection cnn;

public CompactAndRepairAccessDb() {

FileInfo fi = new FileInfo( ConfigurationSettings.AppSettings["PathOriginal"] );
int s = Convert.ToInt32( fi.Length/1000 );
this.tbxOriginalDbSize.Text = s.ToString() + " kb";

private void btnConfirm_Click(object sender, System.EventArgs e) {
// First close all instances of the database

VBScript to Automate login into gmail

Dim IE
Dim crtScreen
Set IE = CreateObject("InternetExplorer.Application")
USERNAME = "saudaziz"

With IE
.navigate ""
End With

'wait a while until IE as finished to load
Do while IE.busy
set WshShell = WScript.CreateObject("WScript.Shell")
Do While UCase(IE.Document.readyState) <> "COMPLETE"
WScript.Sleep 100
set WshShell=nothing
IE.document.all.Item("Email").value = USERNAME
IE.document.all.Item("pASSWD").value =pASSWORD
Set IE = Nothing