CookieJar Lab | Interactive Demo

See how a stolen cookie bypasses passwords and 2FA

Walk through a 4-step attack in 60 seconds. No setup required.

1.8B

credentials stolen by infostealers, 2025

17B

cookies exfiltrated, including session tokens

54%

of ransomware linked to prior infostealer theft

This uses sample data. Run the full lab to try the attack with real sessions you create.

Password + TOTP 2FA Login

The user does everything right. Strong password, 2FA enabled.

Welcome, alice

Password + TOTP

Cookie Security Flags

httpOnly false

Any script or malware running on this device can read this cookie directly. Nothing prevents it.

secure false

The cookie travels over unencrypted connections. Anyone on the same network could intercept it.

sameSite None

The browser attaches this cookie to every request, even from other websites. No restrictions at all.

All three protections are turned off. This cookie is completely exposed. Any malware on the device can steal it instantly, and nothing will stop it being used from another machine.

🍪 Stolen Session Token

This token is the keys to alice's account. Whoever has it doesn't need her password, doesn't need her 2FA code, and doesn't need to log in at all. The server will treat them as alice, with full access to everything she can see and do.

🕷 What the infostealer extracted

What this gives the attacker: A username and email to target in further attacks. Confirmation that MFA was active, proof the account was “protected” and likely contains high-value data. And the session token itself: the single artifact needed for full account takeover. No brute forcing. No phishing for credentials. Just paste and access.

🎃 How infostealers grab this

Malware like RedLine, Raccoon, and Lumma runs silently after a user opens a phishing attachment or trojanized download. It reads the browser's cookie database directly from disk, an SQLite file sitting unencrypted in the user's profile folder. The entire operation takes under 2 seconds. No browser interaction, no pop-ups, no visible sign. The stolen cookies are sent to the attacker's C2 server, where they're sold on dark web marketplaces or replayed immediately.

🕷 Session Replay Attack

An attacker on a completely different device pastes the stolen token into their browser. The server sees a valid session cookie and grants full access. It has no way to know this isn't the original user.

The hardened app blocks this same attack

Same app, same login flow, but the session is protected.

Vulnerable

httpOnlyfalse

securefalse

sameSiteNone

Expiry7 days

Device bindingNone

Hardened

httpOnlytrue

securetrue

sameSiteStrict

Expiry15 min

Device bindingIP + UA

What your team should take away

Session security is a separate discipline from authentication. Investing in MFA alone leaves you exposed.
Cookie flags (httpOnly, secure, sameSite) are the first line of defense and take minutes to configure correctly
Server-side session management enables instant revocation when a compromise is detected
Defense in depth (short expiry + device binding + audit logging) makes stolen tokens useless even if exfiltrated

The full lab lets your team experience both the attack and the defense hands-on.

Try the full attack with real data

For Security Teams

Use the CookieJar Lab to train developers and security engineers on session hijacking, the attack MFA can't stop.

Run the lab in a workshop, lunch-and-learn, or CTF. Both vulnerable and hardened apps included.

cyberdesserts.com
Connect with us →

For Developers

git clone https://github.com/cyberdesserts/cookiejar-lab.git

cd cookiejar-lab && docker compose up

Hands-on in 2 minutes. Break the vulnerable app, then see how the hardened app stops you.

Vulnerable on :3001 · Hardened on :3002

Full walkthrough →

Stay Current

Session hijacking, infostealer trends, and defense strategies. Delivered weekly.

Newsletter →
AI Learning Assistant →

Session hijacking is the most underestimated risk in application security. Now you've seen why.

🍪 CookieJar Lab