Insecure Cookies

Popularity:

4

Simplicity:

7

Impact:

8

Risk Rating:

6

Some organizations utilize both HTTP and HTTPS for their web applications with the aim of allowing nonsensitive information to be transferred over HTTP and utilizing HTTPS to encrypt their more sensitive sections of the web applications. This is commonly found with Internet banking sites where the main page for the bank will be sent over HTTP; however, when the user browses to the Internet banking section of the website, the web application will force the user to use HTTPS to ensure sensitive and confidential information is encrypted.

This sounds like a good little setup; however, if the web application uses the same cookies across HTTP and HTTPS, then an attacker is able to capture the cookies as they traverse the network over HTTP. These cookies can then be used to perform session hijacking against the Internet banking application that is running over HTTPS.

Let's then say that the web application has been redeveloped to fix this security weakness by only setting the cookies once the user has entered the HTTPS section of the website. The cookies have not been transferred across the network unencrypted and, therefore, the attacker has not been able to capture any data in clear text.

What happens if the user decides to browse away from the HTTPS section of the website and return to the bank homepage that is transmitted over HTTP? Technically the request is still going to the same website, and therefore the session details are once again sent unencrypted by the browser over the network. This again allows the attacker to capture the cookies to carry out session hijacking to gain access to the web application. Similarly, if the web application requests images or other nonsensitive items over HTTP, then the session details would again be sent in clear text.

To guarantee that cookie reverse engineering is unable to be performed, make sure that cookies and session identifiers are not predictable.

Custom cookies that are generated by the web application itself are often found to be using insecure cookie generation algorithms. Many developers use a combination of a timestamp and an incrementing identifier—and on a good day, they may even encode the cookie. If attackers are able to access the web application and gain a valid cookie, they may be able to perform reverse engineering on the cookie generation algorithm so that they can predict other users' session identifiers. If this is successful, attackers may then be able to perform session hijacking to gain unauthenticated access to any active session on the web application.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment