Cookies — Be careful when storing it!
Cookies are a fundamental concept that we learn when we first develop web development. However, if misused, it will become “good bait” for countless hackers.
This article will cover ways hackers can take advantage of cookies to hijack users, attack the system, along with methods of using cookies properly to prevent these vulnerabilities.
Cookie — Is the “cookie” harmless?
Server and client communicate with each other via the HTTP protocol. Characteristics of this protocol are stateless. The server cannot know if 2 requests are coming from the same client or not.
Because of this setting, the cookie is born. In essence, a cookie is a small text file sent by the server to the client and then saved by the browser to the user’s computer. When the client sends a request to the server, it sends a cookie. The server relies on this cookie to recognize the user.
Cookies often have name, value, domain, and expiration:
- Name, accompanied by value: The cookie name and the value of the cookie
- Domain: Domain where the cookie is being sent. As shown below, cookies are only sent when the client accesses wordpress.com.
- Expiration: The time the cookie stays on the client's computer. After this time, the cookie will be deleted.
Security errors that cookies can cause
As I said, cookies are sent with each request to the server. The server relies on cookies to identify users. Therefore, if we can “steal cookies” from another person, we can impersonate that person.
Cookies can be stolen in the following ways:
- Sniff cookies over the network: Using some simple tools to sniff like Fiddler, Wireshark, we can steal cookies from users on the same network. Then use EditThisCookie to dump this cookie into your browser to impersonate the user. (See the HTTP post demo).
- Cross-site request forgery (CSRF) attacks. Hackers can post an image link like The browser will automatically load the link in the image; of course, there are cookies included. The image link will read the cookie from the request, confirm the user, and withdraw the money without the user’s knowledge. This attack method has many variations, which I will clarify in the following article.
Please repeat the nth time, you learn how to attack the Website to know that prevention should not be used to hack and destroy villages. If you encounter a security hole in any other website, please send an email to the admin so they can fix it, don’t hack and show off Facebook.
- Remember to set Expired and Max-Age: To minimize the damage when cookies are stolen, you shouldn’t let cookies stay alive for too long. Should set the lifetime of the cookie in about 1 day to 3 months, depending on the request of the application.
- Use Flag HTTP Only: Cookies with this flag are not accessible through the document.cookie function. Therefore, even if the web has an XSS error, a hacker cannot steal it.
- Use Flag Secure: This flag cookie is only sent over HTTPS protocol, hacker will not be able to sniff.