Session cookies are used for session for management within an Application. Cookies contain all the relevant session data required for each user when logged into the site.
The session cookie holds the key to the user maintaining their session so
without this cookie the user would not have access.
This cookie needs to be protected. If stolen an attacker could swap in the victim’s session cookie using a cookie manager tool and gain access to the application as the victim. Once this is done the attacker has full control of the victims account.
An attacker can steal this cookie by leveraging these types of attacks.
- HttpOnly Attribute – This attribute should always be set even though not every browser supports it. This attribute aids in securing the cookie from being accessed by a client side script so check to see if the “; HttpOnly” tag has been set.
2. Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted tunnel.
- After logging into an application and a session token is set using a cookie, then verify it is tagged using the “;secure” flag. If it is not, then the browser believes it safe to pass via an unencrypted channel such as using HTTP.
3. It should only be set for the server that needs to receive the cookie.
- Domain Attribute – Verify that the domain has not been set too loosely. As noted above, it should only be set for the server that needs to receive the cookie. For example if the application resides on server app.mysite.com, then it should be set to “; domain=app.mysite.com” and NOT “; domain=.mysite.com” as this would allow other potentially vulnerable servers to receive the cookie.
4. Even if the Domain attribute has been configured as tight as possible, if the path is set to the root directory “/” then it can be vulnerable to less secure applications on the same server.
- Path Attribute – Verify that the path attribute, just as the Domain attribute, has not been set too loosely.
5. If a cookie is set to “; expires=Fri, 13-Jun-2010 13:45:29 GMT” and it is currently June 10th 2008, then you want to inspect the cookie. If the cookie is a session token that is stored on the user’s hard drive then an attacker or local user (such as an admin) who has access to this cookie can access the application by resubmitting this token until the expiration date passes
- Expires Attribute – Verify that, if this attribute is set to a time in the future, that it does not contain any sensitive information.
How to Test
There is many ways to verify these attributes have been set for cookies.
- Proxy – Use an intercept proxy like ZAP or Burp to trap the traffic and manually verify.Proxy may also pick it up as an issue.
- Firebug – Browser extension that allows you to view the cookies and verify if these have been added.