Reading Time: 18 minutes Difficulty Level: Intermediate Tools Mentioned: Cookie Cadger, Wireshark, EditThisCookie Series: Part 3: Wireshark for Beginners
Introduction: The “Passwordless” Hack
We are taught that passwords are the keys to our digital life. We are told to make them long, complex, and add 2-Factor Authentication (2FA) via SMS or an app. We think this makes us a fortress.
It doesn’t.
Imagine you walk into a high-security club. The bouncer checks your ID, checks the guest list, pats you down, and finally stamps your hand with invisible ink. From that moment on, the bouncer never checks your ID again. He just checks for the stamp on your hand.
If a thief cuts off your hand (or copies the stamp), he can walk into the club. The bouncer won’t ask for ID. He won’t ask for 2FA. He sees the stamp, and he lets him in.
In the digital world, that stamp is called a Session Cookie. And stealing it is called Session Hijacking (or Sidejacking).
In this guide, we will explore how hackers perform Session Hijacking using tools like Cookie Cadger to intercept these digital stamps on public Wi-Fi, bypassing your passwords entirely to gain full access to your Facebook, Amazon, or Email accounts.
(Alt Text: Diagram illustrating Session Hijacking process where attacker steals session cookie)
Part 1. What is a “Session Cookie”?
To understand Session Hijacking, you must understand how the web works. The HTTP protocol is Stateless. This means the web server (Facebook) has amnesia. As soon as it sends you a page, it forgets who you are.
If there were no cookies, you would have to type your password every time you clicked a new link or liked a photo. It would be unusable.
The Solution: The “ID Card”
When you log in:
- You send your Username + Password.
- Server verifies them.
- Server generates a long, random string of text (e.g.,
Session_ID=Ax95Zb3...). - Server sends this string to your browser as a Cookie.
Now, every time you click a link, your browser silently sends this cookie to the server saying: “It’s me, the guy who logged in 5 minutes ago.”
The Vulnerability
The server doesn’t care who sends the cookie. It only cares that the cookie is valid. If a hacker performs Session Hijacking and sniffs that cookie over the Wi-Fi, they can inject it into their own browser. The server will instantly think the hacker is YOU.
Part 2. The Tool: Cookie Cadger
In the early 2010s, a tool called Firesheep terrified the internet. It made Session Hijacking as easy as clicking a button. Later, Cookie Cadger took this concept further.
What is Cookie Cadger?
Cookie Cadger is a graphical Java application that acts as a specialized version of Wireshark.
- Wireshark shows you all traffic (messy).
- Cookie Cadger filters out everything except HTTP GET requests containing cookies.
It analyzes the traffic on the Wi-Fi network, identifies cookies from known sites (like Facebook, Twitter, Yahoo), and displays them in a simple list.
Can I download it?
Cookie Cadger is Open Source. You can find the code on GitHub (search for “Cookie Cadger”).
- Requirement: It requires Java installed on your machine.
- Hardware: Like Wireshark, it works best if you have a Wi-Fi adapter capable of “Monitor Mode” (to see traffic from other people, not just your own).
Warning: Modern browsers and Operating Systems flag these tools as dangerous. Using them for Session Hijacking on networks you do not own is illegal.
Part 3. The Attack: Anatomy of Session Hijacking
Let’s break down how a hacker performs a Session Hijacking attack in a coffee shop using the “Sidejacking” technique.
Step 1: Join the Network
The hacker sits in a Starbucks and connects to the “Free Wi-Fi”. They open Cookie Cadger (or a modern equivalent like Bettercap).
Step 2: The Wait (Sniffing)
The hacker doesn’t do anything active. They just listen. You enter the cafe. You are already logged into Facebook on your phone. You connect to the Wi-Fi. Your phone automatically refreshes your news feed in the background. To do this, it sends an HTTP request to Facebook containing your Session Cookie.
Step 3: The Intercept
If the connection is not fully encrypted (HTTP), Cookie Cadger sees the request. It grabs the text: c_user=12345678; xs=3A... (This is the Facebook authentication token).
Step 4: Replay (The Hijack)
The hacker doesn’t need your password.
- They open their own browser.
- They use a simple plugin called “EditThisCookie” or the Developer Console (
F12). - They create a new cookie with the values they just stole from you.
- They refresh the Facebook page.
Boom. They are logged in as you. They see your messages. They can post on your wall. They can change your password.
Did 2FA help? No. The server thinks the “2FA check” was already passed when the cookie was issued. This is why Session Hijacking is so dangerous.
Part 4. The “Secure” Flag and HTTPS
You might be asking: “Doesn’t Facebook use HTTPS? Isn’t it encrypted?”
Yes. In 2025, major sites like Facebook, Google, and Amazon force HTTPS. When HTTPS is active, the cookie is encrypted inside the TLS tunnel. Cookie Cadger sees nothing but garbage.
However, the Session Hijacking threat is not dead. Hackers have adapted.
1. SSL Stripping
Using a tool like SSLstrip (often used with an Evil Twin Attack), a hacker can force your browser to downgrade from HTTPS to HTTP. If this happens, your cookies become visible again in plain text.
2. “Mixed Content” Mistakes
Sometimes, a secure site loads an image or script over an insecure HTTP connection. If the developer was careless and didn’t set the Secure flag on the cookie, the browser might accidentally send the sensitive cookie over that insecure channel.
3. Non-HSTS Sites
Many news sites, forums, and smaller shops still don’t enforce strict HTTPS (HSTS). If you browse a hobby forum or a local news site, your session there is wide open to Session Hijacking.
Part 5. Practical Lab: Simulating Session Hijacking (Safe & Legal)
We will not hack Facebook (that is a crime). We will use a dedicated vulnerability testing site: testphp.vulnweb.com.
Prerequisites:
- Chrome/Firefox with the “Cookie-Editor” extension installed.
- Two different browsers (e.g., Chrome as the “Victim”, Firefox as the “Hacker”).
Step 1: The “Victim” Logs In
- Open Chrome.
- Go to
http://testphp.vulnweb.com/login.php. - Login with
test/test. - You are now authenticated. The server gave you a session.
Step 2: Extract the Cookie
- Open the Cookie-Editor extension in Chrome.
- Look for a cookie named
login. Copy its value (it might be a string liketest%2Ftest). - In a real Session Hijacking attack, the hacker would get this string via Wireshark/Cookie Cadger sniffing.
Step 3: The “Hacker” Attacks
- Open Firefox. Go to the same website. Do not log in.
- You will see you are a “Guest”.
- Open the Cookie-Editor extension in Firefox.
- Click “Add Cookie”.
- Name:
login - Value:
[Paste the value from Chrome]
- Name:
- Save and Refresh the page.
Result
Firefox will suddenly say: “Logout test”. You are logged in! You bypassed the login screen completely using just a piece of text. This demonstrates how easy Session Hijacking can be.
Part 6. Why VPN is the Only True Defense
So, how do you stop someone from photocopying your ID card? You put it in a safe.
How NordVPN Stops Session Hijacking:
When you use a VPN, every single packet leaving your computer is encapsulated in Encryption (AES-256).
Let’s replay the coffee shop scenario with NordVPN:
- You connect to Wi-Fi.
- NordVPN automatically establishes a secure tunnel.
- You log in to Facebook (or even an insecure HTTP site).
- Your browser sends the Session Cookie.
- Before it leaves your antenna, NordVPN encrypts it.
- The Hacker with Cookie Cadger: He sees a packet passing by. He tries to read it. He sees:
Ax9&b%#...[Garbage].... - He cannot distinguish if it’s a cookie, a photo, or an email. He definitely cannot perform Session Hijacking.
The “Kill Switch” Factor
What if the VPN drops for a second? NordVPN has a Kill Switch. If the encrypted connection drops, it instantly cuts your internet access. This ensures that your naked Session Cookie is never sent over the airwaves by accident.
Conclusion: The Invisible Theft
Session Hijacking is terrifying because it is silent.
- No “Wrong Password” alert.
- No “New Login from Russia” email (because the hacker is using your IP or local network).
- No 2FA prompt.
The hacker simply becomes you. While sites are getting more secure with HTTPS, the sheer number of vulnerabilities (Evil Twins, SSL Stripping, user error) means public Wi-Fi is never truly safe from Session Hijacking.
Don’t let your digital identity float in the air for anyone to grab.
🛡️ Lock Your Sessions Today
Secure your cookies, your passwords, and your history with military-grade encryption.
👉 Get NordVPN (-74% OFF) + 3 Months FREE (Internal Link) (Protect up to 10 devices with one account).
FAQ: Session Hijacking
Q: Does Incognito Mode prevent Session Hijacking? A: No. Incognito mode just deletes cookies after you close the browser. While the session is active, the cookies are still being sent over the network and can be stolen.
Q: Does logging out help? A: Yes! When you click “Log Out”, the server destroys the validity of that specific Session ID. If a hacker stole your cookie 5 minutes ago, and you log out now, their stolen cookie becomes useless. Always log out on public Wi-Fi.
Q: Can I use Cookie Cadger on Android? A: There are similar tools for rooted Android devices (like cSploit or DroidSheep), but they work on the same principle. A VPN protects against mobile Session Hijacking too.