auth_cookie_tamper
Test authentication bypass by sending HTTP requests with manipulated cookie values to identify privilege escalation vulnerabilities in web applications.
Instructions
Test cookie manipulation for privilege escalation.
Sends requests with tampered cookie values and checks for access.
Returns: {"results": [{"cookies": dict, "status": int, "length": int, "response_snippet": str}]}.
Side effects: Sends GET requests with manipulated cookies.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| url | Yes | URL to test with tampered cookies (e.g. /dashboard, /admin) | |
| cookies | Yes | Cookie name-value pairs to send, e.g. {"logged_in": "true", "admin": "1"} |
Implementation Reference
- src/tools/auth.ts:374-436 (handler)The handler implementation for the auth_cookie_tamper tool. It uses curl to perform requests with modified cookies and compares them to a baseline request without cookies to detect potential privilege escalation.
async ({ url, cookies }) => { requireTool("curl"); // Build cookie string const cookieStr = Object.entries(cookies) .map(([k, v]) => `${k}=${v}`) .join("; "); // Test with tampered cookies const res = await runCmd("curl", [ "-sk", "-o", "-", "-w", "\n__META__%{http_code}:%{size_download}", "-b", cookieStr, url, ]); let body = res.stdout; const metaMarker = body.lastIndexOf("__META__"); let status = 0; let length = 0; if (metaMarker !== -1) { const meta = body.slice(metaMarker + 8).trim(); const parts = meta.split(":"); status = parts[0] ? parseInt(parts[0], 10) : 0; length = parts[1] ? parseInt(parts[1], 10) : 0; body = body.slice(0, metaMarker); } // Also test without cookies for comparison const baseline = await runCmd("curl", [ "-sk", "-o", "/dev/null", "-w", "%{http_code}:%{size_download}", url, ]); const bp = baseline.stdout.split(":"); const baseStatus = bp[0] ? parseInt(bp[0], 10) : 0; const baseLength = bp[1] ? parseInt(bp[1], 10) : 0; const result = { tampered_request: { cookies, status, length, response_snippet: body.slice(0, 1000), }, baseline_request: { status: baseStatus, length: baseLength, }, access_changed: status !== baseStatus || Math.abs(length - baseLength) > 50, hint: "If status/length differ significantly, cookie-based auth bypass may be possible.", }; return { content: [{ type: "text", text: JSON.stringify(result) }] }; } - src/tools/auth.ts:362-373 (schema)Zod schema definition for the input parameters of the auth_cookie_tamper tool.
{ url: z .string() .describe( "URL to test with tampered cookies (e.g. /dashboard, /admin)" ), cookies: z .record(z.string()) .describe( "Cookie name-value pairs to send, e.g. {\"logged_in\": \"true\", \"admin\": \"1\"}" ), }, - src/tools/auth.ts:359-361 (registration)Tool registration for auth_cookie_tamper.
server.tool( "auth_cookie_tamper", "Test cookie manipulation for privilege escalation.\n\nSends requests with tampered cookie values and checks for access.\n\nReturns: {\"results\": [{\"cookies\": dict, \"status\": int, \"length\": int, \"response_snippet\": str}]}.\n\nSide effects: Sends GET requests with manipulated cookies.",