Cookie Manipulation and Poisoning

Everybody loves cookies. They’re hard to resist — sweet and delicious. So why is something as flavorless as a computer cookie blessed with the same name? You can blame Lou Monulli. He created the technology for Netscape Communications and received a patent for it in 1998. In the beginning, nobody knew that cookies were being used to authenticate web sessions. But when the truth came out, the public became concerned about the privacy implications. And it wasn’t long before cookies were exploited by the bad guys.

Those Little Cookies

Cookie might not be the best word. HTTP cookies function more like tickets. When you go to a club or an event, sometimes you need to check your coat in the cloak room. That creates create an association between a numbered slip of paper and your jacket. Something similar happens when you take an item to the dry cleaners. The attendant gives you a slip or ticket that you will use to pick up your piece of clothing.

We won’t take the analogy too far, but if someone else managed to get that ticket from you, he could pick up your coat or dry cleaning and walk off with it. In the world of web applications, hackers would be happy to find a way to manipulate, change, or steal your internet cookie.

Let’s borrow the definition from a website called Radware:

“Cookie poisoning is the act of manipulating or forging a cookie (a small piece of data created and stored in a user’s browser that keeps track of important information regarding his or her session information for a particular site) for the purpose of bypassing security measures or sending false information to a server.”

The Cookie Monster is Hungry

So how does a cookie hacker mess with your cookie? He may modify values — if he can manage it. Suppose you are making a purchase on a website. Without the proper security, a hacker might be able to change financial parameters in a cookie. Brian Contos of Imperva  gives examples of altering a checkout cart so that a product purchaser gets free shipping or a significant discount.

Another tactic is to steal the cookie outright. If the hacker can get the cookie onto his own computer, he would be able to access all the things that the user could. That’s because cookies take the form of a session ID (SID) that opens communication between the user and the server. If a cookie is sent in clear text, a hacker on the same hotspot network could capture it using scanning software and claim the cookie for his own.

Exploiting Cookies

By controlling your cookie, a hacker may be able to accomplish several things. He could impersonate you, connecting to your financial institution. Or he could use your cookie to get passwords or make purchases.

The Hacker News reports that a cookie exploit resulted in the exploit of millions of users. Mohit Kumar wrote “Yahoo Reveals 32 Million Accounts Were Hacked Using ‘Cookie Forging Attack'” in March of 2017. Here’s how he describes it:  “Instead of stealing passwords, hackers trick a web browser into telling Yahoo that the victim had already logged in by forging little web browser tokens called cookies.”

Elam Medhat of Latest Hacking News writes, “If the cookie contains passwords or session identifiers, stealing the cookie can be a very successful attack against a web site…. Reverse engineering the cookie offline is a very productive attack.” The site is dedicated to ethical hacking and uncovering web vulnerabilities.

Stopping the Cookie Monster

OWASP deals with a variety of possible solutions. In their section on perimeter solutions, they say to make sure that session identifiers are transmitted over an encrypted protocol. They mention Web Application Firewall (WAF) enforcement. And they talk about terminating sessions where the tokens are transmitted insecurely.

Amit Klein of Sanctum writes that combating cookie poisoning has to do with good session management.  He says that session security often “falls between the cracks”. Sanctum’s solution includes a component that takes care of application security, such as a web application firewall (WAF).


Cookie manipulation is vulnerability associated with poor session management. Care should be taken by developers to use best practices in the way these sessions are established.  But application security with tools such as web application firewall are needed to keep hackers at bay. Web security requires a multipronged approach. Remember, the hacker just needs to get it right once, but website owners have to defend at every point to keep their data secure.

Don’t let anybody touch your cookies! Consider Total Uptime’s Web Application and API Protection suite.

Protect your App with our WAAP!