Cookie Slack Detector

It means that for a series of GET requests to the same URI, each time dropping a different cookie, nothing changes in the response length. Cookies which don’t have the expected effect can reveal flaws in application logic. In the worst case, there may be areas on the website where authentication via session cookies or the content controlled by preference cookies are not actually enforced. This leaves the possibility of fingerprinting the application and preparing scenarios for further attacks.

Verify if you are using session IDs and cookie-based authentication.

Check if all cookie preferences are used.

Ensure there are no unused information cookies.

Review all the areas reported to have issues with slack cookies.

ScanRepeat checks one by one if cookies are used for rendering the page at a given URI, based on length in bytes of response compared to baseline request. It reports every occurrence of such a vulnerability providing the URL of the issue along with the slack cookie name.