I have been reading up on session fixing/hijacking recently, and understand the theory.
What I don't understand is how this would be exploited in practice. Would you have to tamper with your browser to make use of the stolen cookies? Append it to the URL and pass it to the web application?
Or would you write some sort of custom script to make use of this, and if so what would it do?
I'm not trying to ask for help with this or examples, but I am trying to learn more and understand. Any help is appreciated.
Forging a cookie is trivial. As mentioned by Klaus, you can do it right out of your browser.
Here's a practical example of how this could be exploited:
Of course, in practice there will be more security on high profile sites (for instance, one could check that a session ID never transfers to another client IP address), but this is the gist of how session hijacking works.