Express Session Cracker #255
Description
Extension URL
https://github.com/joshua-gimer/express-session-weak-secret
Version number
1.0
Select additional compatible products and features
- Community
- DAST
- Burp AI
Author display name
Joshua Gimer
Contact details (optional)
Discord username (optional)
No response
I confirm that the following is true:
- I have permission from all relevant persons to submit this extension to the BApp Store for public use, under the terms and conditions of the EULA.
- I have read and understood the submission requirements for the BApp Store.
Extension overview
Express.js applications using express-session sign cookies with HMAC-SHA256. If the secret is weak or a known default, attackers can:
Crack the secret via dictionary attack
Forge arbitrary sessions to impersonate users or escalate privileges
Bypass authentication entirely
This toolkit helps security professionals identify and demonstrate these vulnerabilities.
Key features
| Feature | Burp Extension | CLI Tool |
|---|---|---|
| Passive cookie capture | ✅ | — |
| Wordlist-based cracking | ✅ | ✅ |
| 70+ common secrets quick check | ✅ | — |
| Cookie forger | ✅ | — |
| Session data decoder | ✅ | — |
| Security flag analysis | ✅ | — |
| Context menu integration | ✅ | — |
| Export results | ✅ | — |
Usage instructions
Burp Extension
Passive Capture — Browse target sites; cookies are captured automatically
Context Menu — Right-click requests in Proxy/Repeater → "Send cookie to Express Cracker"
Manual Input — Paste cookies from browser DevTools
Quick Check — Instantly test against 70+ common/default secrets
Wordlist Attack — Full dictionary attack with speed stats
Forge Cookies — Generate valid signed cookies with discovered secrets
CLI Tool
Basic usage
./crack-connect-sid.py --cookie "s%3A." --wordlist /path/to/wordlist.txt
With options
./crack-connect-sid.py
--cookie "connect.sid=s%3Aabc123.ABCDEF..."
--wordlist rockyou.txt
--ignore-empty
--max 1000000
Template identifier (Internal use only - please ignore)
- template:01-submit-extension