Cookie Injection Using Greasemonkey


There are several Firefox plugins which allow the user to manipulate their browser cookies. However, most of these plugins force the user to manipulate cookies individually. This can become tedious if the user is simply “importing” cookies from, say, a wireshark dump.

The CookieInjector userscript simplifies this process, by allowing the user to copy-paste the cookie portion of the dump and have the cookies from the dump automatically created on the currently viewed web page.

Updated Cookie Injector Script available on
userscripts-mirror.org

To Use The Script:

Fire up Wireshark, formally Ethereal, if you don’t have Wireshark you can grab it from: http://www.wireshark.org/. Start listening for traffic on the same interface you use to access the internet. To cut down on extra packets, enter tcp as a capture filter. TCP is a transport layer protocol featuring reliable transport, congestion control and connection oriented transfers. Since HTTP uses connections between client and server and therefore the TCP protocol, is is safe to filter out all non-TCP packets. To further filter the packets that Wireshark is displaying enter http.cookie in the filter field. This will filter out all packets which are not using the HTTP application layer protocol and all HTTP packets which do not contain cookies.

Next go to a website that uses cookies. Most websites which support user logins or shopping carts use cookies for these purposes. Make sure that the website that you visit does not encrypt the entire session (such as a banking website), otherwise the packets will be encrypted and not viewable in wireshark. After capturing a couple packets which contain cookies scroll down to the Hypertext Transfer Protocol portion of the packet preview, expand it, and scroll down to the cookie line. Right click on the line, and select copy->Bytes (Printable Text Only). This will copy the human-readable portion of the packet which represents the Cookies associated with this website.

If you haven’t already, install Greasemonkey, and the CookieInjector userscript. Clear your private data, ensuring that the Cookies and Authenticated Sessions options are selected. This will delete all your cookies, so we can see the script in action. Press alt-c to view the CookieInjector dialogue, paste the cookie string from wireshark into the text box and click OK.

Congratulations! Your cookies have now been restored!

How The Script Works:

After the page has loaded the CookieInjector class is initialized. This involves setting up the dialogue and binding a function to the onkeydown event. When the user presses the ALT-C key combination, the CookieInjector keyPress function is called, which checks to see if the correct key combination has been triggered. If it is valid, the dialogue’s display style is changed, making it visible in the middle of the page.

After the user enters the cookie that was copied from Wireshark, the script does a quick cleanup of the string, and then adds the cookies to the browsing session.

Note that the cookie’s host will be the domain that is loaded in the browser when the cookie is injected. The root path will be used for the root of the cookie to ensure that the cookie is persistent across the entire domain. Finally, the cookie is a session cookie, which means that the cookie will expire when the browser is closed.

Security Implications Of Cookies

The use of cookies for identification and authentication presents a dangerous security risk for un-encrypted connections. Most websites (such as Hotmail, Facebook and Gmail), only encrypt the username and password when initially authenticating the user and all traffic following the initial handshake is un-encrypted. As a result, the cookie information is readable by anyone who is listening with appropriate software, and malicious users can steal the cookies of other users on the network, possibly gaining access to their accounts. Un-encrypted or weakly encrypted wireless connections (those which do not use WPA or stronger encryption schemes) are especially susceptible to cookie stealing. This is because anyone with a wireless card can simply listen to all network traffic as it is broadcast through the air, intercepting cookies, images, web pages and any other traffic which may or not be intended for them. Intercepting traffic on a switched network (most LANs) is more complex, but can be accomplished using ARP Poisoning or software such as Ettercap

The take-home lesson is to use encrypted connections, like https, whenever privacy is important. Always remember that if the connection is not encrypted anyone could be listening in.

 

Edit: I have released a new version of the script that should fix the problems with the window appearing in WYSIWYG windows + post data.
Edit: Several people have been reporting the cookie injector window appearing in Gmail emails. All WYSIWYG editors may be affected depending on their implementation. If you experience problems with the cookie injector window showing up where it shouldn’t, edit the userscript to exclude the problem site.

For example, I have updated the userscript to ignore gmail / mail.google.com domains with the following in the header:

// @exclude		   https?://gmail.com/*
// @exclude		   https?://mail.google.com/</del>

Please make the change yourself, or download the new version of the script to suppress its operation on Gmail pages.

External Links:

Greasemonkey: https://addons.mozilla.org/en-US/firefox/addon/748
HTTP Protocol: http://en.wikipedia.org/wiki/HTTP
TCP Protocol: http://en.wikipedia.org/wiki/TCP
Cookies: http://en.wikipedia.org/wiki/HTTP_cookie
Wireshark: http://www.wireshark.org/
Ettercap: http://ettercap.sourceforge.net/
ARP Poisoning: http://en.wikipedia.org/wiki/ARP_spoofing
Ethereal: http://www.ethereal.com/

, , , , , , , ,

  1. #1 by Titoo on May 19, 2008 - 1:24 am

    Nice tutorial, is there any way to access the code of your cookies injector script, I cannot find it on your link, cheers !

  2. #2 by Titooo on July 13, 2008 - 7:56 am

    thanks for the update of the script, I was also wondering if it was possible to add an input box for the host ?
    For example for gmail, you cannot go directly to the host since you are redirected to the main google login page.
    In this case it would be convenient.

    Thanks again for the script

  3. #3 by Siraj on September 16, 2008 - 6:58 pm

    Nice guide. Much faster than using a standard cookie editor in Firefox and entering the cookies one at a time.

  4. #4 by abz on June 20, 2010 - 11:20 pm

    hii, i’ve followed the instruction..
    but when i press alt+c, nothing happen
    (i tried both linux and windows firefox+greasemonkey)

    so i try the execute js firefox addons

    there are the same issued :”unsafeWindow is not defined”

    how to fix it? thx

  5. #5 by jeremy on October 29, 2010 - 5:00 pm

    Your cookie injector script somehow makes the cookie dump dialog show up in all gmail emails I send. I think you are somehow adding it to the page in a way that it is put in the body of all outgoing emails. This is annoying for obvious reasons. Is there any way you could make it not as intrusive to the the affected webpages?

  6. #6 by Ajay Singh on April 13, 2011 - 2:28 am

    how to install Cookie Injection in firefox 3

  7. #7 by Sam on April 19, 2011 - 10:00 am

    Good tutorial. But the ALT-C doesn’t seem to work in UBUNTU!!!!! Email me the reason to wmwangi@egerton.ac.ke copy to kangikawanjiku@gmail.com

  8. #8 by Eviltod on April 29, 2011 - 12:45 am

    I have no found Cookie Injector for Firefox please i would like a link.
    Great job :D

  9. #9 by smurf on May 15, 2011 - 7:56 am

    omg idiot, u have cookieinjector script under the tutorial … …

  10. #10 by Aaron on June 10, 2011 - 12:27 am

    the “Alt-C” Didn’t works!!

  11. #11 by Me on August 23, 2011 - 8:32 pm

    This doesn’t install using Greasemonkey. What’s up with that eh?

  12. #12 by nd on August 29, 2011 - 5:16 am

    jeremy :
    Your cookie injector script somehow makes the cookie dump dialog show up in all gmail emails I send. I think you are somehow adding it to the page in a way that it is put in the body of all outgoing emails. This is annoying for obvious reasons. Is there any way you could make it not as intrusive to the the affected webpages?

    +1 here!!!

  13. #13 by Dustin on August 31, 2011 - 9:40 am

    The solution is to edit the cookie injector userscript to not run on Gmail pages. This can be done by adding @exclude tags to the header.
    For example:

    // @exclude		   https?://gmail.com/*
    // @exclude		   https?://mail.google.com/*

    I will update the userscript to have this as the default

  14. #14 by Jeffrey on September 5, 2011 - 9:06 pm

    I edited your excludes to *gmail.com* and *mail.google.com* as the userscript was still appearing on gmail pages.

  15. #15 by Dustin on September 6, 2011 - 5:26 am

    Jeffrey :

    I edited your excludes to *gmail.com* and *mail.google.com* as the userscript was still appearing on gmail pages.

    Ensure you have Greasemonkey 0.9.8 installed. https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/?page=1#version-0.9.8
    They recently introduced support for full regular expression matching in the include / exclude directives.
    Apparently there are problems with the 0.9.10 version so beware of that.

  16. #16 by ME on December 2, 2011 - 6:52 am

    BE AWARE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    wtf is this script???
    I installed it and it sends its code in POST DATA!!!
    Now i deinstalled it and ALT+C doesn’t work anymore, but the code get send in POST DATAS:

    http://www.abload.de/img/unbenanntbs752.jpg

  17. #17 by Dustin on December 4, 2011 - 12:12 pm

    After you restart your browser after disabling greasemoney + removing the Cookie Injector script are you still having this problem?
    Unfortunately the script has issues with WYSIWYG editors that use embedded frames to render content.

  18. #18 by Dustin on December 4, 2011 - 12:32 pm

    The most recent version of the script should resolve the issues with the post data + WYSIWYG editors

  19. #19 by AKHIL on March 11, 2012 - 1:31 am

    SIR,
    AM USING FIREFOX 9.0.1. Cookie Injector Script IS NOT WORKING. When i try to install it from file.. ” SHOWING : File Corrupted”.
    Please post new version and also tell me correct way to install Cookie Injector Script.

    I want to know how to capture cookies of some one we know.

  20. #20 by akorpse on March 14, 2012 - 9:39 am

    Hey AKHIL,

    it is working for me. First install firefox add-on “GreaseMonkey”, the click on “Download CookieInjection Userscript” in this page and click “install”. Next fire up wireshark, intercept cookie, copy it. Go to http://www.facebook.com (clear your browser history) then press “alt” + “c” and paste the cookie. Now refresh your page and you will be logged in. This works only if the victim is still logged in, facebook’s cookies last only till he leaves his session.

  21. #21 by doni on May 16, 2012 - 6:06 pm

    Idiot, there’s no explanation how to install cookie injector here

  22. #22 by MG on May 26, 2012 - 3:38 pm

    Hi
    Thx for this script I’ll test it tommorow

  23. #23 by monika on May 27, 2012 - 12:29 am

    cant able to download cookieinjector … gimme the link from where i can download this

  24. #24 by william on June 19, 2012 - 6:05 pm

    how can i download the cookie injector?please respond..

  25. #25 by k1m0n0 on August 27, 2012 - 4:57 pm

    There is a bug on the code:

    Current>cI.dialog.style.zindex

    Should be> cI.dialog.style.zIndex

  26. #26 by k1m0n0 on August 27, 2012 - 4:59 pm

    Thanks for the script btw! Saves a lot of time! ;)

  27. #27 by Dustin on August 29, 2012 - 1:47 pm

    Good Spotting k1m0n0!

  28. #28 by monica on September 21, 2012 - 12:47 pm

    My cookie injector is not working I click on it and nothing pops up I het alt and c and nothing happens for facebook

  29. #29 by MooT on November 15, 2012 - 9:45 am

    14/11 the cookie injector stop working for facebook

  30. #30 by It Worked on February 16, 2013 - 7:18 pm

    LOL. It worked!! On a mac you need to use the key combo

    option+c

    once you dump it resubmit the base URL like facebook.com and BOOM your logged into the users profile

    ROFL

    I’m getting a kick out of this.

  31. #31 by ew on August 13, 2013 - 11:18 am

    cookie injector doesnt work if i push alt and c

  32. #32 by ew on August 13, 2013 - 11:19 am

    and how can i install cookie injector

  33. #33 by ib on December 9, 2013 - 8:56 am

    hola como se instala

  34. #34 by http.cookie ??? on December 13, 2013 - 10:09 am

    http.cookie doesnt show up when capturing packets after browsing and logging into https://www.facebook.com so your tutorial is garbage !

  35. #35 by Russian on February 13, 2014 - 4:40 pm

    #36 you are an obtuse fucking idiot. Your brain is garbage and you’re either too lazy to read or you’re fucking illiterate.

  36. #36 by Russian on February 13, 2014 - 4:48 pm

    the “s” in “https” means “secure” dumbass. https uses encryption. Greasemonkey can’t break that encryption. It can, however, use UNENCRYPTED cookies like the ones used in http sessions. If you’d done your homework you’d know that. And a little life lesson for you, everyone out there that knows that, read your comment, shook their heads in disgust, and thought “this guys is a fucking dumbass” Big congrats on making yourself look stupid.

  37. #37 by ding-dong on September 20, 2014 - 10:05 am

    cookie injector not available anymore?

  38. #38 by Devansh Jani on October 25, 2014 - 2:40 am

    Is there another link which provides cookie injector script ? Because this link doesn’t work

(will not be published)