# Cookie Tossing If you control a subdomain or you find a XSS in a subdomain, you can set a cookie that will be used in a domain and their subdomains. This can lead to the following attack vectors: * Setting an attacker cookie for a victim and collecting sensitive data that a victim will add when using an attacker's account * Fixate a cookie if cookie is not changed after login * If a cookie sets an initial value you can set a known value and abuse it. For instance, a cookie sets a CSRF token of a session in Flask and this value is maintained after login, therefore, you can use known value to perform a CSRF * Perform [Cookie bomb](https://0xn3va.gitbook.io/cheat-sheets/web-application/cookie-security/cookie-bomb) attack Cookie tossing is possible even a cookie is already set, since when a browser receives two cookies with the same name partially affecting the same scope (domain, subdomains and path), the browser will send both cookies when valid for request. If an application uses only the first cookie, you can force it to use your cookit by adding the `Path` attribute with longer path, check [Cookie Security: Cookie-list sorting](https://0xn3va.gitbook.io/cheat-sheets/web-application/cookie-security/..#cookie-list-sorting). If an application does not accept requests with cookies with the same name and different values, you can try the following tricks: * Overflow a legit cookie with attacker's one, check [Cookie Jar Overflow](https://0xn3va.gitbook.io/cheat-sheets/web-application/cookie-security/cookie-jar-overflow) * Change a cookie name: use URL encoding, use different letter-case, add extra symbols, such as `%00`, `%20`, `%09`, etc. ## References * [HackTricks: Cookie Tossing](https://book.hacktricks.xyz/pentesting-web/hacking-with-cookies/cookie-tossing) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xn3va.gitbook.io/cheat-sheets/web-application/cookie-security/cookie-tossing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.