I would like to know how to steal cookies?
I tried to export all my cookies through the 'Edit This Cookie' extension on a logged-in page which uses cookie authentication. While logged out I tried inserting those cookies hoping that I would be logged in, but nothing happened.
After searching I came to know that the cookies sent are in encrypted form. But the page wasn't using any TLS encryption. Am I missing anything?
I tried using the same cookies while Logged in i.e exported all the cookies and imported on an incognito window but nothing happened.
Also, this kind of attack doesn't seem to be working on most popular sites like Google, Facebook etc. So how do they protect against such attacks?
Technically, the answer to your question - how to steal cookies can be answered as even if the contents in the cookie were to be encrypted, if cookies are properly copied to the new browser and the new browser sends the same HTTP headers (same user agent string, referrer is as expected, computer has same IP address, and all other headers the server could have previously stored and and compare against), the server theoretically wouldn't be able to differentiate between the original browser and the new browser.
I'm assuming that you're trying to copy the cookie(s) from a site that auto-logs you on every time you open your browser and you haven't logged out. Some sites could use other ways to detect if this is a stolen cookie/session, but it's a losing battle because all those can still be spoofed E.g.: Check if the IP address changed Is the User-Agent the same Check if the referrer makes sense Any other HTTP headers that the browser sends To answer your question, you should be able to make it work if you're dealing with an auto-login site and you haven't logged out. Make sure that all the HTTP headers your new browser is sending are the same, that the IP address is the same, the referrer is the expected one, same user agent.
Note that also perhaps the service you're using is using a 2nd cookie that you forgot to copy, and thus creates an anomaly and kicks you out.