1

Retrieving and Using Slack Cookies for Authentication

Posted on by PaperMtn

Slack, like many other services, uses cookies to store authentication and session information. What is interesting with Slack, however, is that one particular cookie can be used to generate a user session token, and provide you programatic access as the user who generated it.

This cookie is imaginatively named d, and is available from a browser with an authenticated Slack session.

Getting the d (cookie)

In a browser window, authenticated to Slack and with Slack open, go to developer tools and head to the storage section (in Chrome this is under Application -> Storage)

Under cookies expand app[.]slack[.]com, and you will see all the cookies that Slack stores in the browser for the session.

The one you want to copy is the d cookie, that should start with xoxd-...

Take notice of the expiry date on this cookie, 10 years time. It is very long lived.

Turning this into a User Session Token

This cookie can used in a HTTP request to a Slack workspace the user has access to to retrieve a user session token, which will begin xoxc-..., this token can then be used in place of a user or bot token for the Slack API.

Make a cURL request to a workspace you know the user has access to. I know that the user cookie I’ve got has access to the slack domain westeros-inc, so I send a cURL request like this:

curl -L --cookie "d=xoxd-REDACTED" https://westeros-inc.slack.com

In the response, amongst other things, Slack returns the user session token in JSON data under the api_token key:

We can pipe this output to grep against a regex pattern to get the user session value:

curl -L --silent --cookie "d=xoxd-REDACTED" https://westeros-inc.slack.com | grep -ioE "(xox[a-zA-Z]-[a-zA-Z0-9-]+)"

Using this token

This token can be used in place of a user (xoxp-) or bot (xoxb-) token for API authentication to Slack:

Use Cases

There are two main use cases for this user session token:

  • Getting programatic access to Slack workspaces where app installation is restricted by Admin policy
  • Turning a compromised Slack cookie from a browser session into programatic access to Slack

Or, in a shameless plug, a Slack cookie can be used with Slack Watchman to enumerate workspaces and find exposed secrets.

PaperMtn

Cybersecurity professional based in the UK. Fan of dogs, chequered shirts and lists of three.

More Posts

One Comment

  1. Pingback: Slack Watchman Version 4.0.0 Release – PaperMtn

Comments are closed.