Cookies - TairinySimeonato/WebAuditing GitHub Wiki

1. What are cookies?

Small text file sent from a web server to a user's browser. Cookies were used to store user information, remember information in form fields, etc. Since cookies started to save lots of information and therefore take space on user's computer, developers changed the cookie value to an ID, and the cookie content is now stored on the web server, with almost no limit size. There are three main purposes for cookies: Session management, personalization and tracking.

2. How are they generated?

Cookies can be generated by the HTTP response header called "Set-Cookie". After the cookie is created, the browser sends it back to the server with every request in the HTTP header "Cookie".

3. Different types of cookies

• Session Cookies - expires after the user shuts the session down
• Permanent Cookies - only expires in a specific date ("Expires") and a in a specific time ("Max-Age")
• HTTPOnly Cookies - Javascript can't access the cookie content via document.cookie. This prevents XSS.
• Secure Cookies - only sent to the server over HTTPS protocol with an encrypted request.

4. Cookie Atributes

• HTTPOnly - browser does not allow Javascript to access cookies. This prevents against XSS, since document.cookie is blocked.
• Secure - browser only sends cookies over HTTPS or TLS (secure connections)
• Path - specifies the location or path the cookie is valid for. Value usually is "/", which means every request will get the cookie.
• Domain - specifies whether or not to send the cookie to sub-domains.
• SameSite - This attribute offers a defense against CSRF attacks when the value is set to "Strict". It basically requests the browser to only send the cookie when you are using the web application directly. When another site tries to request something from the web application, the cookie is not sent. This effectively makes CSRF impossible, because an attacker can not use a user’s session from his site anymore.

5. The problems with cookies

• Cookies can contain sensitive data in plain text;
• HTTP does not encrypt its headers. Cookies may be vulnerable to sniffing;
• An attacker can perform a MITM or Replay attack by sniffing a victim Session ID.

6. Cookie Protection

what an attacker can do with document.cookie? hyjack session or play beef (research more beef)

• encrypt cookies in the browser to protect against session hijacking, sniffing and XSS attacks;
• Send cookies over TLS - only browser and web server should have cookie information;
• Use the right atributes;

Example of a secure cookie:

Set-Cookie: __Host-SessionID=3h93…;
Path=/;Secure;HttpOnly;SameSite=Strict 

7. Sources

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
• https://en.wikipedia.org/wiki/HTTP_cookie
• https://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_web_application_cookies_lack_secure_flag
• https://www.owasp.org/images/a/a0/OWASPLondon20171130_Cookie_Security_Myths_Misconceptions_David_Johansson.pdf
• https://flaviocopes.com/cookies/
• https://community.akamai.com/customers/s/article/Security-in-Cookies?language=en_US
• https://blog.webf.zone/ultimate-guide-to-http-cookies-2aa3e083dbae