Using Postman to search for “critical” cookies

For the last year, I have been learning from the community how to pentest. This is my attempt to produce some material that people might find useful.

Testing a site involves determining which cookies are “necessary” to get a valid response from the server. Sometimes, there can be quite a few cookies though. To help with this, I use Postman. You can download it here. I also proxy it through Burp but that is not necessary for this tutorial.

Use your proxy or some other means to grab the curl command for the site.

Launch postman. At the top left corner, click IMPORT.

Copy and Paste the CURL command into the RAW text, as shown

At the bottom, click continue. Then Import.

You will now have a new untitled request based off of the CURL command. 

You can click Send if you want to test if it gives you the same response as it did via the browser/proxy. 

If you click on Headers you will see that all the headers have been nicely organized BUT the Cookies are all together under Cookie.

I wrote a little ruby script to parse this at github.

Here is the code:

split_me = “split me”

cookie_array = split_me.split(‘;’)

c = 0

cookie_array.each { |item|

  cookie_array[c] = “Cookie:” + item

  c = c +1


puts cookie_array

Replace the string “split me” in the code with the a copied version of the entire Value in the box 

Run the ruby script and then it will output something that looks like the following:

Click on Bulk Edit and paste the results from the script.

Click on Key-Value Edit

Notice how there is a nice tick box setup of all the cookies now?

You can begin to tick them one by one, sending the request each time and see which cookie is crucial for authenticating with the app. 

As a bonus, you can also quickly change the request type POST/GET/HEAD etc. and fuzz with different types and see what reaction the server has. 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: