Cloned originally from http:https://securitylearn.net/wp-content/uploads/tools/iOS/BinaryCookieReader.py Forked from https://github.com/as0ler/BinaryCookieReader/
- Added support for Python 3.12.3
- Added support for the SameSite Lax & SameSite Strict flags
- Added functionality to create a
cookies.txt
file in theNetscape Cookies.txt File Format
python3 BinaryCookieReader.py [path] [output_path]
where:
[path]
is the path to the.binarycookies
file (generally, Safari'sCookies.binarycookies
file is stored in~/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies
)[output_path]
is the path pointing to the destination of thecookies.txt
file (more information about theNetscape Cookies.txt File Format
athttp:https://justsolve.archiveteam.org/wiki/Netscape_cookies.txt
)
Cookies.binarycookies file is composed of several pages and each page can have one or more cookies. The complete file format is explained below:
- The file starts with a 4 byte magic string:
cook
. It is used to identify the file type. - Next four bytes is an integer specifying the number of pages in the file.
- Following that, a 4 byte integer for each page, represents the page size.
- Next to that, the file contains the actual page content. Each page is of length corresponding to the page size. Page format is explained below.
- The file ends with an 8 byte value and it might be file checksum.`
- Every page starts with a 4 byte page header: 0x00000100.
- Next four bytes is an integer specifying the number of cookies in the page.
- Following that, a 4 byte integer for each cookie, represents the cookie offset. Offset specifies the start of the cookie in bytes from the start of the page.
- Next to that, the page contains the actual cookie contents. Each cookie is of variable length. Cookie format is explained below.
- Page ends with a 4 byte value and it is always 0x00000000.
- First 4 bytes in the cookie is the size of the cookie.
- The next 4 bytes are unknown (may be related to cookies flags).
- The next four bytes are the cookie flags. This is an integer value that can be a combination of the following flags: (
Secure
,HttpOnly
,SameSite
,SameSite_Strict
) - The next 4 bytes are unknown.
- The next 4 bytes is an integer specifying the start of the url field in bytes from the start of the cookie record.
- The next 4 bytes is an integer specifying the start of the name field in bytes from the start of the cookie record.
- The next 4 bytes is an integer specifying the start of the path field in bytes from the start of the cookie record.
- The next 4 bytes is an integer specifying the start of the value field in bytes from the start of the cookie record.
- The next 8 bytes represents the end of the cookie and it is always 0x0000000000000000.
- The next 8 bytes are the cookie expiration date. Date is in Mac epoch format (Mac absolute time). Mac epoch format starts from Jan 2001.
- The next 8 bytes are the cookie creation date.
- Next to that, the cookie contains the actual cookie domain, name, path & value. The order is not specific and they can appear in any order.