Read more articles in Web Application Security Insights
|
 |
| August 17, 2009 | | Defining an insecure cookie handling vulnerability | Many people have asked me to define an insecure cookie handling vulnerability, so here it is: this vulnerability is created when a developer fails to designate authentication cookies as secure. That means Web browsers are free to send authentication cookies over an insecure http channel. By doing this, hackers are able to cache all DNS responses and monitor hostnames that use port 443 and connect to one of the domain names stored there. This allows the hacker to inject images from insecure (non-https) portions of the protected Website in order to get the browser to send the authentication cookie. 4 Types of Insecure Cookies - Insecure cookies: If the cookie transport security is not set up properly, the hacker can access sensitive information stored in those cookies, regardless if the Web application uses SSL. The attacker can then gather sensitive data stored in those cookies.
- Persistent session handling cookies: When a session handling cookie is set persistently, it allows the cookie to be valid even after a user terminates a session. Therefore an attacker can use a session cookie stored in the text file by the browser to access restricted information.
- Cacheable Cookies: Such Cookies could be cached at a proxy or gateway. It can result in serving cookie value that is out of date or stale.
- Cookies with the HTTPOnly attribute not set: If the HTTP-Only attribute is not set, then the cookie can be accessed and manipulated in the script. The sensitive information contained in the cookie can be sent to a hacker's computer or Website using a script.
In my next blog article, I’ll discuss the 3 most common insecure cookie attacks. by
Sameer Dixit, Security Engineer
Sameer@cenzic.com | | |
|
|
