Cookie Baker: Gray-box Login Automation for Web Application Security Testing

We present Cookie Baker, the first gray-box login automation framework for web application security testing. Cookie Baker is designed as a conservative extension of Cookie Hunter, a state-of-the-art black-box login automation tool. By combining static analysis and automated credential harvesting, Cookie Baker significantly increases the success rate of Cookie Hunter and improves the diversity of the available account types, thus making security testing more effective and realistic. Our experimental evaluation on public web applications shows that the additional capabilities of Cookie Baker make it able to automatically login on 4x more web applications than Cookie Hunter. This improvement in login automation enables a substantial enhancement in the code coverage of web crawling, leading to increased vulnerability detection capabilities. The integration of Cookie Baker with the Wapiti security scanner enables us to identify several new potential vulnerabilities in existing software, including two confirmed stored XSS.