Project 11: Cookie Cadger (15 pts.)

What you need


To see how cookies are used by websites for authentication, and perform CSRF (Cross-Site Request Forgery) attacks.

Testing Networking

Finding the KALI Linux Machine's IP Address

Use the ifconfig command on the Kali Linux machine to find its IP address.

Ping the Kali machine from the Windows machine. If you don't get replies, you need to troubleshoot your networking. To make this easiest, set all virtual networks to Bridged mode.

On both computers, execute this command:

Make sure you are getting replies on both machines.

Downloading Cookie-Cadger

On your Kali Linux machine, execute this command:


If that link doesn't work, use this command:
wget --no-check-certificate

Running Cookie Cadger

On your Kali Linux machine, execute this command:
java -jar CookieCadger-1.07.jar
A bob pops up asking "Enable Session Detection?". Click No.

The main Cookie Cadger window opens, as shown below. Click the "Start Capture on eth0" button.

On your Target machine, NOT the Kali Linux machine, open a Web browser and visit this site:
A MAC address should appear in Cookie Cadger, as shown below. Click it to see the domains used to load that page.

On your Target machine, NOT the Kali Linux machine, open a Web browser and visit this site:
Log in with a Name of root and a Password of toor, as shown below.

A Message Board opens, as shown below. Notice the "Welcome" message, showing that you are logged in.

In the Message Board, click the "Erase Comments" button.

Type your name into the Comment field and press Enter.

A page should appear, showing your name in a comment, as shown below.

Capturing a Cookie with Cookie Cadger

In Cookie Cadger, in the domain list, click

In the Cookie Cadger window, in the third column, click /cookielogin/messageboard.php, as shown below.

The messageboard.php item may not appear. If that happens, try refreshing the page on the Target machine, and opening another tab to visit another site such as or

Unfortunately, Cookie Cadger is a bit slow to respond and buggy, like other Java applications.

Saving the Screen Image

Make sure you can see these two items:

Save a FULL DESKTOP image with the filename Proj 11a from Your Name.

Performing a CSRF Attack

In Cookie Cadger, click "Replay Request".

The message board opens in Kali, showing the Welcome message, indicating that you are now authenticated.


Repeat this process on this target URL:
Does CSRF work on this site?

Explain Your Results

WRITE AN EXPLANATION into the body of your email message. Say whether is vulnerable to this attack, and explain why.

Turning in Your Project

EXPLAIN YOUR RESULTS for in the body of your email.

Attach the image to with a Subject line of Proj 11 from Your Name.

Last modified 2-6-15 9:53 pm