Cookie Poisoning

Cookie poisoning is an attack that exploits vulnerabilities of a site’s session management logic by sending a modified or forged cookie to the web server. Sending a poisoned cookie effectively tricks the web server into returning sensitive information to unauthorized users or causes the server to modify information user information at the request of an unauthorized attacker.

Attack Vector

In order to preform cookie poisoning, the attacker must be able to intercept and partially or completely alter a user’s cookie before it reaches the server. If a site’s cookie contains important parameters that are easily identifiable, an attacker is able to extract information just by reading the cookie. There are three main ways cookie poisoning can be accomplished:

XSS attack

- The user clicks on an adversarial link that executes JavaScript and sends cookie information to the attacker.

Man-in-the-middle attack

- The attacker intercepts and modifies the cookie exchange between client and server.

Man-in-the-browser attack

- Malware installed in user’s browser automatically manipulates cookie data

Impact

Cookie poisoning can result in stolen user identity, malicious transactions being made within a website by using a user’s credentials, or unauthorized access to a user’s private information. Financial fraud is one of the most common use cases of cookie poisoning.

Attack Examples

Example: Man-in-the-middle attack

Bob is using an online shopping website, but is unable to afford the final checkout price of $100. Upon viewing all the cookies contained within his browser, Bob realizes that there is a cookie with a key named checkout_price which was being sent to the server for each transaction that was made. He decides to manipulate his own cookie that was being exchanged between his browser and the web server, by clicking checkout, intercepting the data being sent, and modifying the checkout_price value to $5. After he sends the modified cookie to the server, his browser receives confirmation that his order has been made with a total price of $5.

Defenses

To ensure that attackers are not able to reconstruct a cookie and trick the server, web sites can encrypt its cookies by using https instead of http, which makes decrypting the cookie infeasible. Utilizing a web application firewall is also a good way to prevent cookie poisoning, as it allows the web server to detect whenever a cookie has been altered.

Criteria for Demonstration

To demonstrate this attack, provide the exact steps and parameters of the cookie you modified which allowed you to trick the server into sending you unauthorized data (e.g. information regarding other users) or made the server modify data which you do not have permission to.

Resources


knambara