Everybody loves cookies. They’re hard to resist — sweet and delicious. So why is something as flavorless as a computer cookie blessed with the same name? You can blame Lou Monulli. He created the technology for Netscape Communications and received a patent for it in 1998. In the beginning, nobody knew that cookies were being used to authenticate web sessions. But when the truth came out, the public became concerned about the privacy implications. And it wasn’t long before cookies were exploited by the bad guys.
Cookie might not be the best word. HTTP cookies function more like tickets. When you go to a club or an event, sometimes you need to check your coat in the cloak room. That creates create an association between a numbered slip of paper and your jacket. Something similar happens when you take an item to the dry cleaners. The attendant gives you a slip or ticket that you will use to pick up your piece of clothing.
We won’t take the analogy too far, but if someone else managed to get that ticket from you, he could pick up your coat or dry cleaning and walk off with it. In the world of web applications, hackers would be happy to find a way to manipulate, change, or steal your internet cookie.
Let’s borrow the definition from a website called Radware:
“Cookie poisoning is the act of manipulating or forging a cookie (a small piece of data created and stored in a user’s browser that keeps track of important information regarding his or her session information for a particular site) for the purpose of bypassing security measures or sending false information to a server.”
So how does a cookie hacker mess with your cookie? He may modify values — if he can manage it. Suppose you are making a purchase on a website. Without the proper security, a hacker might be able to change financial parameters in a cookie. Brian Contos of Imperva gives examples of altering a checkout cart so that a product purchaser gets free shipping or a significant discount.
By controlling your cookie, a hacker may be able to accomplish several things. He could impersonate you, connecting to your financial institution. Or he could use your cookie to get passwords or make purchases.
The Hacker News reports that a cookie exploit resulted in the exploit of millions of users. Mohit Kumar wrote “Yahoo Reveals 32 Million Accounts Were Hacked Using ‘Cookie Forging Attack'” in March of 2017. Here’s how he describes it: “Instead of stealing passwords, hackers trick a web browser into telling Yahoo that the victim had already logged in by forging little web browser tokens called cookies.”
Elam Medhat of Latest Hacking News writes, “If the cookie contains passwords or session identifiers, stealing the cookie can be a very successful attack against a web site…. Reverse engineering the cookie offline is a very productive attack.” The site is dedicated to ethical hacking and uncovering web vulnerabilities.
OWASP deals with a variety of possible solutions. In their section on perimeter solutions, they say to make sure that session identifiers are transmitted over an encrypted protocol. They mention Web Application Firewall (WAF) enforcement. And they talk about terminating sessions where the tokens are transmitted insecurely.
Amit Klein of Sanctum writes that combating cookie poisoning has to do with good session management. He says that session security often “falls between the cracks”. Sanctum’s solution includes a component that takes care of application security, such as a web application firewall (WAF).
Cookie manipulation is vulnerability associated with poor session management. Care should be taken by developers to use best practices in the way these sessions are established. But application security with tools such as web application firewall are needed to keep hackers at bay. Web security requires a multipronged approach. Remember, the hacker just needs to get it right once, but website owners have to defend at every point to keep their data secure.
Don’t let anybody touch your cookies! Consider Total Uptime’s Web Application and API Protection suite.
When you go to a store to look around, the clerk may ask if they can help you. No, you’re just browsing, you say. You’re not necessarily in search of anything in particular. We do the same thing online. Web browsing is a way to satisfy our curiosity, to delve into areas that interest us, […]
Imagine that a smooth operator convinces Barney Fife — the famous sheriff’s deputy on TV — to unlock a Mayberry jail cell. Barney has the keys. He has the authority. He wants to do the right thing, but he’s easily confused and manipulated. Your web browser has authority too. It can do a lot of […]
There have been plenty of zombie movies over the past few years. The plots are similar — the undead stalk the living — and the productions are generally not Oscar material. But somehow the threat hits a nerve with the general public. To illustrate a threat of a different kind, let’s come up with a […]