I've seen so many hacking tutorials about XSS, SQL injection, and many topics along those lines, but I've seen very little dealing with cookies as potential attack vectors or security risks. h4x0r and I were talking a little while back, and it was decided that I would write a tutorial to fill that void. So here it is, all about cookies. What they are, how they're used, the security risks they can present, and how they can be exploited.
Note: Keep in mind that this tutorial was written with the same disclaimer as most others... it's for educational purposes only, use this information to secure your website, not break the law, etc.
OK, so now that we got that out of the way, let's get started!
Cookies identify you to the site. They store settings about your customized look and feel for the pages you view, your username and encrypted password or user id, who referred you to the site, profile preferences, and just about any kind of information the admins want them to store to customize your user experience. Cookies are most commonly used to give you access to login protected pages once you've entered your information, identify you in content that you change on the site (forum posts or article comments, for example), tell the administrators how you found the site, and more. Again, cookies will function as their creators have written them to function. This sounds like a simple, obvious statement, but it can't be overlooked. We'll see why later.
Insecure cookies can be changed to allow you access to protected pages (ex admin), change your user id to impersonate other users, etc. Up until now, this tutorial has been all theoretical information, so how about a little real-life application now?
If you don't have firefox, get firefox. Now that you have them installed, I'll give you a quick guide to editing cookies with them. There's a lot more you can do with firebug, so I'd encourage you to look at some tutorials for its other features as well, like editing pages' source code on the fly with its Inspect feature. That aside, back to editing cookies. Click the firebug icon on the bottom right of your firefox window. Now click on the Cookies tab at the top of the window that pulls up. Fill in the checkbox for Cookies and click apply. Click OK on any windows that pop up about resending data. Now you should see a listing of the cookie field and values, among other things. Right click on the field you want to change and click edit. Change the value field to whatever you want. You may need to change the session only check box or the expiration date to get the cookie to stay once the page has refreshed, depending on the page. Once you've changed the value, refresh the page. If you still see your cookie in the firecookie window, then your cookie is in effect. If not, you may need to play with some of the settings as I mentioned earlier.
And that's the basics of cookie hacking! Now you know all you need to understand cookie stealing and more.
This article is also posted here: http://techmafias.com/Thread-all-about-cookies. I am the original author and decided to copy it here for your benefit.