Cookies commonly include sensitive information associated with authentication. If the cookie contains passwords or session identifiers, stealing the cookie can be a very successful attack against a web site. There are several popular methods used to steal cookies, with the most popular being script injection and eavesdropping.
Reverse engineering the cookie offline is a very productive attack. The best path is to gather a sample of cookies using different input to see how the cookie changes. This can be done by using different accounts to authenticate at different times. The idea is to see how the cookie changes based on time, username, access privileges, and so on. Bit-flipping attacks adopt the brute-force approach, methodically modifying bits to see if the cookie is still valid and whether different access is gained.
Before embarking on attacks on cookie values, care should be taken to first understand any encoding used and whether the cookie requires to be decoded for the attack to be successful. One general mistake made by application developers is to use an encoding format, such as Base64, when encryption is required.
This mistake is sometimes noticed in applications caching role data in the cookie for performance purposes. Because Base64 is easily decoded, an attacker can decode the cookie value, change it then re-encode the cookie value to probably change his or her assigned position and obtain access to the application. Tools such as the Burp web proxy have great support for manipulating cookies and encoding, decoding, and hashing values using standard algorithms.