Cookies is the place where the web applications store the authentication data. If you can able to impersonate target cookie in your browser then you can directly login to target account without any password, if the web application is vulnerable.
Impersonating cookies
If there is XSS vulnerability then we can steal cookie with the help of java script code document.cookie. it will give you a string where you can place that string in your browser with the help of plugins like cookie manager in Firefox.
Another way is to sniff the data and get cookie if web application is not using secure channel(HTTPS) but if it is using secure channel then there is no way we can get the data unless the application supports both HTTP and HTTPS versions.
If a web application supports both secure and unsecure channels then attacker can send a link with HTTP and exploit the web application with XSS to get the cookie.
If you can able to place authenticated cookie from vulnerable web application, then you are authenticated as a user that cookie belongs to.
Secure Flag and HttpOnly
HttpFlag is a parameter where JavaScript is not allowed to read cookie with the help if document.cookie but still it can be done with the help of XST(Cross Site Trace).
HTTP TRACE is the method used for debugging purposes. When a web application receives TRACE request it sends a response which contains cookie even if HttpOnly flag is used.
If web application is vulnerable to XSS and HttpOnly was enabled, then attacker should find a way to send TRACE request and if its successful he can get the cookie.
Most of the modern browsers won’t allow HTTP TRACE method in XMLHttpRequest so there is no possibility to attack.
Best way to secure cookies in a web application
The best way is to secure cookies is to disable HTTP TRACE, sending cookies over a secure channel and implementing HttpOnly flag.
Leave a Reply