Introduction security series – Store cookies – The thought of harming those who thought impossible

Tram Ho

Cookies are a very basic concept that we learn when creating a new web. However, if used incorrectly, it will become “good bait” for countless hackers.

This article will cover the ways hackers can take advantage of cookies to hijack users, attack the system, and how to use cookies properly to prevent these vulnerabilities.

Cookie – The harmless “cookie”?

Server and client communicate with each other via HTTP protocol . Characteristics of this protocol are stateless. The server cannot know if two requests come from the same client.

Because of this point, cookie was born. In essence, a cookie is a small text file sent by the server to the client, then the browser saves it to the user’s computer. When the client sends a request to the server, it sends a cookie . Server relies on this cookie to recognize the user.

Cookies usually have name, value, domain and expiration:

  • Name, comes with value: Cookie name and value of that cookie
  • Domain: Domain where cookies are sent. As shown below, cookies are only sent when the client accesses
  • Expiration: The time the cookie exists at the client. Past this time, the cookie will be deleted.


Biscuits are small, full of big holes

After understanding the basics of cookies, we will find out about the security flaws that cookies may cause.

As I said, cookies are attached to each request on the server. Server based on cookies to identify users. Therefore, if it is possible to “steal cookies” from others, we can impersonate that person.

Cookies may be stolen in the following ways:

  • Sniff cookies over the Internet: Using some simple sniffing tools like Fiddler and Wireshark, you can steal user cookies on the same network. Then use EditThisCookie to dump this cookie into the browser to impersonate the user. (See the HTTP post demo).
  • Chop cookies (Cookie thief) with XSS: With XSS vulnerability, hackers can run malicious code (JavaScript) on the user’s side. JS can read values ​​from cookies with the document.cookie function. Hackers can send this cookie to their server. This cookie will be used to impersonate the user.
  • Performing CRSF (Cross-site request forgery) attacks. Hackers can post an image link like this:

  • The browser will automatically load the link in the image, of course, with a cookie . The link in the image will read the cookie from the request, confirm the user, withdraw the money without the user’s knowledge. This way of attack has many variations, I will clarify in the following article.


Please remind me again for the nth time, you learn how to attack Website to know that prevention is not used to hack hacking villages. If you have security holes on any other site, please send an email to the admin for them to fix, but don’t hack and show off Facebook .

This part of the article will show you how to use cookies properly to avoid unnecessary security errors.

  • Remember to set Expired and Max-Age : To minimize damage when cookies are stolen, you should not let cookies live for too long. It is recommended to set the lifetime of the cookie to about 1 day to 3 months, depending on the application’s requirements.
  • Use Flag HTTP Only : Cookies with this flag will not be accessible via the document.cookie function. Therefore, even if the web has XSS errors, the hacker cannot steal it.
  • Using Flag Secure : Cookies with this flag are only sent via HTTPS protocol , hackers will not be able to sniff.
  • Because cookies are vulnerable to attack, absolutely do not contain important information in cookies (Password, account number, etc.). If it is required to save, it is necessary to carefully encode.


Note: If your website uses RESTful API, do not use cookies to authorize users but use OAuth or WebToken . This token is entered into each request’s Header so there will be no CRSF errors.

You can learn more about cookies and related security errors here:

Share the news now

Source : Techtalk