Introduction security series – Store cookies – The thought of harming those who thought impossible
- Tram Ho
Cookies are a very basic concept that we learn when creating a new web. However, if used incorrectly, it will become “good bait” for countless hackers.
Cookie – The harmless “cookie”?
Server and client communicate with each other via HTTP protocol . Characteristics of this protocol are stateless. The server cannot know if two requests come from the same client.
Because of this point, cookie was born. In essence, a cookie is a small text file sent by the server to the client, then the browser saves it to the user’s computer. When the client sends a request to the server, it sends a cookie . Server relies on this cookie to recognize the user.
Cookies usually have name, value, domain and expiration:
- Name, comes with value: Cookie name and value of that cookie
- Domain: Domain where cookies are sent. As shown below, cookies are only sent when the client accesses wordpress.com.
- Expiration: The time the cookie exists at the client. Past this time, the cookie will be deleted.
Biscuits are small, full of big holes
After understanding the basics of cookies, we will find out about the security flaws that cookies may cause.
As I said, cookies are attached to each request on the server. Server based on cookies to identify users. Therefore, if it is possible to “steal cookies” from others, we can impersonate that person.
Cookies may be stolen in the following ways:
- Sniff cookies over the Internet: Using some simple sniffing tools like Fiddler and Wireshark, you can steal user cookies on the same network. Then use EditThisCookie to dump this cookie into the browser to impersonate the user. (See the HTTP post demo).
- Performing CRSF (Cross-site request forgery) attacks. Hackers can post an image link like this:
<img src = "http://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory">
- The browser will automatically load the link in the image, of course, with a cookie . The link in the image will read the cookie from the request, confirm the user, withdraw the money without the user’s knowledge. This way of attack has many variations, I will clarify in the following article.
Please remind me again for the nth time, you learn how to attack Website to know that prevention is not used to hack hacking villages. If you have security holes on any other site, please send an email to the admin for them to fix, but don’t hack and show off Facebook .
- Remember to set Expired and Max-Age : To minimize damage when cookies are stolen, you should not let cookies live for too long. It is recommended to set the lifetime of the cookie to about 1 day to 3 months, depending on the application’s requirements.
- Use Flag HTTP Only : Cookies with this flag will not be accessible via the document.cookie function. Therefore, even if the web has XSS errors, the hacker cannot steal it.
- Using Flag Secure : Cookies with this flag are only sent via HTTPS protocol , hackers will not be able to sniff.
You can learn more about cookies and related security errors here:
Source : Techtalk