Cookie Baker: gray-box login automation for web application security testing

We present Cookie Baker, the first gray-box login automation framework designed to enhance web application security testing. Cookie Baker is designed as a conservative extension of Cookie Hunter, a state-of-the-art black-box login automation tool. By combining static analysis and automated credential harvesting, Cookie Baker significantly increases the success rate of Cookie Hunter and improves the diversity of the available account types, thus making security testing more effective and realistic. Our experimental evaluation on public web applications shows that the additional capabilities of Cookie Baker make it able to automatically login on 4x more web applications than Cookie Hunter. This substantial improvement in login automation translates into greater code coverage during web crawling, ultimately leading to a higher rate of vulnerability detection. The integration of Cookie Baker with the Wapiti security scanner enables us to identify several new potential vulnerabilities in existing software, including two confirmed stored XSS. These findings highlight Cookie Baker’s potential to enhance web application security testing, equipping security researchers and penetration testers with a powerful tool to uncover security flaws that would otherwise remain undetected.