Since cookies store sensitive data (session ID, CSRF token, etc.) they are interesting from attacker’s point of view. As it turns out, quite many web applications (including sensitive ones like bitcoin platforms) have cookie related vulnerabilities that lead for example to user impersonation, remote cookie tampering, XSS and more.
Developers tend to forget that multi-factor authentication will not help when cookies are insecurely processed. Security evaluators underestimate cookie related problems. Moreover, there are problems with secure processing of cookies in modern browsers and browser dependent exploitation can be used to launch more powerful attacks.
That’s why secure cookie processing (from the perspective of web application and browser) is a subject worth discussing. The following topics will be presented:
– cookie related vulnerabilities in web applications
– insecure processing of secure flag in modern browsers
– bypassing HttpOnly flag in Safari
– problem with Domain attribute in Internet Explorer
– cookie tampering in Safari
– underestimated XSS via cookie
– HTTP Strict Transport Security (HSTS)
– importance of regeneration
– and more