Cookie manipulation and poisoning

Home > Cyber Security Solutions > Various-Security-Offerings > Penetration Test > Specialized Pen Testing > Web Portals > Cookie manipulation and poisoning

Cookie poisoning attacks are a process involving the manipulation and forging of cookies, designed to achieve illicit access to web applications. Hackers conducting cookie poisoning can forge cookies and gain legal access to other user accounts.  This malicious practice is a very popular strategy used by hackers engaging in identity theft.

What Hackers do??

Cookies are common elements in web applications and their usage involves saving information (e.g. account numbers, user ID, time stamp, passwords, etc). The saved information is stored in the user’s hard drive.  Ideally, access to the stored information is limited only to the user. Simply put, cookies are used to save crucial user information, and are stored on the user’s computer system. While visiting certain websites, visitors are asked for authentication. The username and password submitted by the user are validated by a login CGI (a program), and once validated, a cookie is stored in the user’s browser, which contains a numerical identifier to the submitted information. Aside from username and password, cookies can be used to store e-mail addresses, telephone numbers, names, and work and home addresses. For example, a customer seeking to purchase a watch visits a website that sells watches.  The customer logs in using the name “Smith”. During the transaction, the website stores a cookie that contains “Smith’s” personal information on “Smith’s” computer. A hacker can subsequently cause serious damage if he examines the cookie and edits it to his advantage. Generally, hackers take the original cookie (e.g. “Smith”), and edits or reworks it to change it to “Jones”. The cookie is then re-encrypted by the actions of the hacker and the website now recognizes Smith as Jones.
How can cookie poisoning manipulations cause damage to your web applications? Through cookie poisoning, a hacker gets access to user accounts and the secured information within the account. Secure and sensitive information can also be stored in this way. As a result of cookie poisoning fraud, both the consumer and the website can face financial losses.

How we prevent them??
The Valency Networks performs a detailed penetration testing of the webportal and its backend databases. The pen-test report as we call it, reflects the solutions to protect cookies and prevent cookie injection based attacks.

Detection of cookie poisoning attacks involves compound HTTP statefulness. The intrusion prevention product must trace down cookies "set" commands issued by the Web server. For each set command the product should store important information such as the cookie name, the cookie value, the IP address and the session to which that cookie was assigned as well as the time it was assigned. Next the product needs to intercept each HTTP request sent to the Web server, retrieve the cookie information out of it and check it against all stored cookies. If the attacker changes the content of a cookie the product should be able to identify that using the information it stores on the specific user. The product must trace application-level sessions and not just IP addresses in order to provide accurate results.

Intrusion Detection and Prevention Systems which are not Web application oriented simply do not provide this functionality. These products are unable to trace users by the application session and are unable to store information on each specific user currently logged into the Web application.
Please consult us at Valency Networks, a Pune, India based firm specializing in cyber security consultancy.