Saturday 15 October 2016

HOW TO SECURE COOKIES FROM ATTACKERS

In the previous blog, we discuss the requirement of the session because of statelessness of HTTP Protocol and Session ID Structure and Security at Generation Time in that blog we conclude that cookies are the best method for passing session id.

COOKIES:

Cookies are simply a file which contains small data e.g. what the language used by the client, visiting time to the website, it contains all the links to click on, most importantly the items to be added to the shopping baskets while doing online shopping on the client side.
we are using cookies for exchanging the session id data because cookies provide several security features in terms of its attributes.

COOKIES ATTRIBUTES:

1. Secure Attribute
2. HttpOnly Attribute
3. Expire Attribute
4. Domain and Path Attribute

SECURE ATTRIBUTE:

Secure attribute sends the cookie data through encrypted channel because it informs the web browser.
if the secure attribute is not used then the attacker can intercept the packet by Burpsuite, Paros Proxy, Owasp Zap tools to do the MITM(Man In The Middle) attack.

HTTPONLY ATTRIBUTE:

If the HttpOnly attribute is not on then attacker can steal your session id by accessing the document.cookie object through Cross-Site Scripting attack. so, HttpOnly object informs the browsers to not allowed the scripts(e.g. JavaScript, VBScript).
EXPIRE ATTRIBUTE:

The Attacker can hijack your session because Expire Attribute is not set for active sessions, so, it is mandatory to set expiration time it depends on the purpose of web applications to balance the usability and security for each session.it will decrease the time for attackers to hijack your session.

DOMAIN AND PATH ATTRIBUTE:

DOMAIN: In a simple way this attribute determines those hosts to which the cookies will be sentto set this attribute is a major concern to developers but it should not be set to loose.The domain is set for that server where the client wants to send cookies.
For Example: Important for Tester to check this

PATH: This attribute signifies the path for which the cookies are valid.Just like DOMAIN attribute this will not set loosely because it may leads to active attacks by other vulnerable applications on the same server.Important part is that if path attribute is set to "/" then cookies is sent to each applications within the same domain.
For Example, Important for Tester to check this
                          

Cookies attributes are perfectly set by GMAIL specially DOMAIN and PATH attribute:


Example of GMAIL


TESTING TOOLS:

INTERCEPTING PROXY:

  
TESTING BY OWASP ZAP

BROWSER EXTENSION:

Firebug in Mozilla Firefox to check the cookies attributes set properly or not
FIREBUG

SUMMARY:

In this post i highly focused on cookies Secure, HttpOnly, Expire, Domain and Path attributes which are important to prevent session hijacking attack.

1 comment: