$loading...
Test session management for fixation, weak identifiers, cookie-scope flaws, cookie injection, and broken logout/invalidation. (16 payloads)
Set a known session ID before login, then authenticateCookie: SESSIONID=attacker_known_valueCompare SESSIONID before vs after loginCollect 100+ tokens and analyze entropy (Burp Sequencer)Decode the token (base64 / hex)Increment/decrement a numeric session or 'remember-me' tokenSet-Cookie: id=...; HttpOnly; Secure; SameSite=LaxCheck for missing HttpOnly on the session cookieDomain=.example.com (overly broad scope)SameSite=None — test CSRF reachabilitydocument.cookie='session=evil; domain=.example.com; path=/'__Host-session=...; Secure; Path=/ (no Domain)Send many junk cookies to evict the real one (cookie jar overflow)Replay the session token after clicking logoutUse an old token after a password changeReuse a JWT after 'logout'Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides
It's a quick-reference collection of 16 Session Attacks payloads for testing Session & Cookie Attacks vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.
Copy any payload straight into your authorized test, or open the CSRF generator to build customized Session Attacks variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.
Yes — this cheat sheet and all Session Attacks payloads are completely free, with no account required. Everything runs in your browser.