Monitor Leaked Cookies for Your Domain (beta)

Access to this feature is not enabled for all accounts by default. Please contact your Customer Success Manager if you are interested in enabling it on your account.

Flare’s Leaked Cookies API

allows for searching in cookies matching your domains found in stealer logs. Integrators may use this API to identify and invalidate sessions before they are taken over.

This will guide will explain how to use the Leaked Cookies API to monitor for newly found cookies and invalidate their session.

Prequisites

Cookie monitoring must be enabled for your tenant. This feature must be activated by Flare Support.
Access to a mechanism by which you may verify a cookie’s validity.
Access to a mechanism by which you may invalidate a cookie.

Steps

Fetch one page of results

Use the cookies/_search endpoint to fetch one page of results.

If the returned page of results is empty, this means that all cookies were viewed.

Verify and Invalidate

Loop over the response’s items to verify the cookie’s validity and invalidate the cookie.

Ratelimit and go to step 1

Wait one second to avoid going over the API rate limit. Then, go back to step 1 to fetch the next page.

Full Project Template

Flare maintains a full project example on Github:

https://github.com/Flared/cookie-monitoring

It can serve as a starting point to implement automated session revocation in your organization.

End-to-End API Example

This is an end-to-end example in Python.

import os
import time

from datetime import datetime
from datetime import timezone
from flareio import FlareApiClient


api_client = FlareApiClient(
    api_key=os.environ["FLARE_API_KEY"],
)

last_from: str | None = None
fetched_pages: int = 0

for resp in api_client.scroll(
    method="POST",
    url="/leaksdb/v2/cookies/_search",
    json={
        "from": last_from,
        "domain": "scatterholt.com",
        "paths": ["/", "/login"],
        "names": ["session"],
        "expires_after": datetime.now(
            timezone.utc
        ).isoformat(),  # Search for cookies not yet expired
    },
):
    # Rate limiting.
    time.sleep(1)

    resp_data: dict = resp.json()

    fetched_pages += 1
    num_results: int = len(resp_data["items"])
    print(f"Fetched page {fetched_pages} with {num_results} results...")

    # Save the last "next" value.
    last_from = resp_data.get("next") or last_from

    # Iterate on cookies in the current page
    for cookie in resp_data["items"]:
        # Invalidate the cookie here
        print(f"Cookie Value: {cookie['value']}")

Introduction

Base Concepts

SDK

Advanced

Guides

Monitor Leaked Cookies for Your Domain (beta)

Prequisites

Steps

Full Project Template

End-to-End API Example

Introduction

Base Concepts

SDK

Advanced

Guides

​Prequisites

​Steps

​Full Project Template

​End-to-End API Example

Prequisites

Steps

Full Project Template

End-to-End API Example