Cookie poisoning is a type of cyberattack where threat actors manipulate or forge session cookies for the purpose of bypassing security measures and achieving impersonation and breach of privacy. By forging these cookies, an attacker can impersonate a valid client, and thus gain information and perform actions on behalf of the victim. Or attackers can use forged cookies to trick a server into accepting a new version of the original intercepted cookie with modified values. The ability to forge such session cookies (or more generally, session tokens) stems from the fact that all tokens are not generated in a secure way.
What is a cookie?
A cookie is information that a web site puts on your hard disk so that it can remember something about you at a later time. More technically, a cookie is information for future use that is stored by the server on the client-side of a client/server communication. Typically, a cookie records your preferences when using a particular site. Using the HTTP, each request for a web page is independent of all other requests. For this reason, the web page server has no memory of what pages it has sent to a user previously or anything about your previous visits.
A cookie is a mechanism that allows the server to store its own information about a user on the user's own computer. Cookies stored on your computer's hard drive maintain bits of information that allow web sites you visit to authenticate your identity, speed up your transactions, monitor your behavior, and personalize their presentations for you.
How do cookies work?
When a user visits a site, the site sends a tiny piece of data, called a cookie, which is stored on the user's computer by their browser. The browser sends the cookie back to the server with every request the browser makes to that server, such as when the user clicks a link to view a different page or adds an item to a shopping basket.
The data stored in the cookie lets the server know with whom it is interacting so it can send the correct information back to the user. Cookies are often used by web servers to track whether a user is logged in or not, and to which account they are logged in. Cookie-based authentication is stateful for the duration of multiple requests and has been the default method for handling user authentication for a long time. It binds the user authentication credentials to the user's requests and applies the appropriate access controls enforced by the web application.
A typical example of a cookie use begins with a user entering their login credentials, which the server verifies are correct. The server then creates a session that is stored in a database, and a cookie containing the session ID is returned to the user's browser. On every subsequent request, the browser returns the cookie data, and the session ID is verified by the server against the database; if it is valid, the request is processed. When the user logs out of the site, the session is usually destroyed on both the client and server-side, but if the user has checked the “Keep me logged in” or “Remember me” option, the cookie will persist on the user's computer.
How are cookies manipulated/poisoned?
Cookies can be accessed by persons unauthorized to do so due to insufficient security measures. An attacker can examine a cookie to determine its purpose and edit it so that it helps them get user information from the website that sent the cookie.
Cross-site scripting (XSS) injection attacks are a common method used to steal session cookies. If attackers can find a page on a site that is vulnerable to XSS injection, they can insert a malicious script into the page that sends them the session cookie of everyone that views the page. The cookie then enables the attackers to impersonate its rightful owner, enabling them to stay logged in to the victim's account for as long as they want, without ever having to enter a password.
Cookie-based session attacks take advantage of the session identifier, which is the most valuable piece of data stored in application cookies. Session identifiers open the way to session hijacking and related attacks. Here are a few cookie-based session attacks:
- Session hijacking. Cybercriminals use their knowledge of the current session cookie to take over the user's session while they are logged in to a website.
- Session spoofing. Cybercriminals start a new session using session tokens they have stolen or forged to impersonate the legitimate user.
- Session fixation. Cybercriminals a phishing email or other means to send a legitimate user a known session identifier and fool them into using this identifier to log in to a malicious site. The threat attacker then hijacks the user session.
- Session Sniffing. Cybercriminals employ a packet sniffer to intercept and log packets, which contain session cookies, as they flow across a network connection.
Alternative cookie attacks include predicting, brute force hacking or replicating the contents of a valid authentication cookie. Any such forged cookies would enable the attacker to impersonate a site's genuine users.
- Client-side cookie poisoning. Cybercriminals manipulate the cookie data before the cookie reaches the server.
- Man-in-the-middle cookie hijacking. Cybercriminals act as a middleman between the user’s web browser and the web server to access the cookie information being transmitted, and then steal or modify it for malicious purposes.
- Buffer overflow attack. Cybercriminals take advantage of a web server running insecure software that exposes the memory of the server, which often contains cookie information.
How can we prevent cookie poisoning?
As cookie poisoning is fairly easy to do, adequate cookie-poisoning protection should detect cookies that were modified on a client machine by verifying that cookies that are sent by the client are identical to the cookies that were set by the server.
Ingrian Networks has developed a patented platform that provides a means for securing cookies authenticity. When cookies pass through the platform, sensitive information is encrypted. A digital signature is created that is used to validate the content in all future communications between the sender and the recipient. If the content is tampered with, the signature will no longer match the content and will be refused access by the server.
In addition, web applications should be developed so that certain key parameters are not stored within cookies so as to minimize the damage if they are stolen or forged.
(This post has been updated. It was originally published on April 18, 2019.)