w3af – cookies

Viewing 8 reply threads
  • Author
    • #3741

      I can’t seem to figure out how to get w3af to import a session cookie for a particular URL I am trying to scan.  It’s asking for a Mozilla compatible cookiejar filename.  I am not sure exactly what that is.  FF3 uses SQLite for it’s cookie database.  I tried that but it didn’t work.  Does anyone know what it wants?

    • #23957

      I think you’ve kinda answered your own question. I believe it looking for the cookie file used by Firefox >= 2.x. This I believe was a plaintext, whitespace-delimited file. I guess someone could write a script to dump the SQLite database in FireFox >= 3 into the old format… there’s a weekend project for someone.


    • #23958

      OK, I couldn’t resist the challenge, my C skills need some sharpening and I’ve never used sqlite. Here’s a short program to extract the cookie information from the sqlite3 database used my Firefox 3 into the old format.

      I’ve tested this on Cygwin but there is no reason why it should not compile on another platform so long as the sqlite3 libraries and headers are installed. I compiled it with the following command:

      gcc -Wall -g -o cookiejar cookiejar.c  -lsqlite3



        These are the columns in the moz_cookies table
        id = used internall my Firefox?
        name = some_name
        value = some_value
        host = .ethicalhacker.net
        path = /
        expiry = 1304073154
        lastAccessed = 1241001154890625
        isSecure = 0
        isHttpOnly = 0

        The Firefox 2.x cookie file format is...
        Domain       Domain scope?  Path  Secure  Expires     Name      Value
        .example.com TRUE           /     FALSE   1143149359  login_id  123456

      static int callback(void *NotUsed, int argc, char **argv, char **azColName){
          argv[0],                            // host or domain name
          *argv[0] == '.' ? "TRUE" : "FALSE", // Domain accessible if host starts with a '.'
          argv[1],                            // path
          *argv[2] == '1' ? "TRUE" : "FALSE", // SSL only?
          argv[3],                            // Expiry
          argv[4],                            // Cookie name
          argv[5] ? argv[5] : "NULL"          // Cookie value

        return 0;

      int main(int argc, char **argv){
        sqlite3 *db;
        char *zErrMsg = 0;
        char *sql = "select host,path,isSecure,expiry,name,value from moz_cookies";
        int rc;

        if( argc!=2 ){
          fprintf(stderr, "Usage: %s DATABASEn", argv[0]);

        //TODO: Stat the file first

        // Open the database, exit on failure
        rc = sqlite3_open(argv[1], &db);
        if( rc ){
          fprintf(stderr, "Can't open database: %sn", sqlite3_errmsg(db));

        rc = sqlite3_exec(db, sql, callback, 0, &zErrMsg);
        if( rc!=SQLITE_OK ){
          fprintf(stderr, "SQL error: %sn", zErrMsg);

        // Close the database
        return 0;
    • #23959

      Wow, thanks jimbob!    I thought I had a project to do this weekend 🙂  Thank you very much again!  I am pretty comfortable with C/C++, so I can tweak if necessary.  Have I said thanks? 🙂

    • #23960

      No problem at all. I fixed it up to compile with Visual C++, which is a first for me. I generally don’t do any windows programming outside cygwin/vi/gcc so I’ve also gained from this exercise.



    • #23961

      I tested it and it worked like a charm.  The only thing I had to add was a comment line at the top of the cookies file:

      #Netscape Cookie File

      VC++ is actually pretty nifty in terms of debugging and IDE options.  I also like the MFC classes, especially the later editions when they took security a bit more seriously.  They really have come a long way from strcmp(tinystr, hugestr) days. 

      I’ve started using SQLite in the last 6 months or so.  It’s a pretty cool portable database system.  The only compatible alternative I know is MS Access, and that’s a mess.  SQLite is not terribly fast on inserts, but it really does the trick when you need something portable.

      Thanks again!

    • #23962

      I shall have to spend some more time learning VC++, it’s a useful skill. I’ll add the leading comment to my source and publish it somewhere. I know there are other tools out there that read the cookie SQLite database but I’m a command line ki d of guy and I like output I can pipe.

      I imagine Berkeley DB to be the closest to SQLite in terms of embedded database but I like SQLite on the basis that I already know SQL. I can see this too being useful 🙂


    • #23963

      Sorry to bring up an old topic and thanks for the great script!

      For some reason the cookies of a couple of sites I’m testing are not stored in the same place as other cookies. The only difference that I can see from the sites I’m testing and others is that the sites I’m testing are HTTPS. I tried logging into other HTTPS sites and they do seem to be saved into the same sqlite database.

      I thought it may have been a problem with the script, however after openning the sqlite database and inspecting the data, the cookies were not there.

      The location of my cookies.sqlite file:

      Does Firefox save HTTPS cookies in a different location? Is there something else going on here?

      Thanks in advance.  ;D

      P.S. Firefox 3.0.15 / BackTrack4 Final

    • #23964

      I am not sure why you are not seeing the cookies.  I am not an expert on cookies, but could they be expiring (session cookies)? 

      I also use wget to write the cookiejar file sometimes.  Perhaps it will help you here:

      wget --save-cookies cookiefile --post-data "login info goes here" -O URL > /dev/null
Viewing 8 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2022 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?