Cookie poisoning is the act of manipulating or forging session cookies for the purpose of bypassing security measures and achieving impersonation and breach of privacy. By forging these cookies, an attacker can impersonate a valid client, and thus gain information and perform actions on behalf of the victim. Or attackers can use forged cookies to trick a server into accepting a new version of the original intercepted cookie with modified values. The ability to forge such session cookies (or more generally, session tokens) stems from the fact that all tokens are not generated in a secure way.
A cookie is information that a web site puts on your hard disk so that it can remember something about you at a later time. More technically, it is information for future use that is stored by the server on the client side of a client / server communication. Typically, a cookie records your preferences when using a particular site. Using the HTTP, each request for a web page is independent of all other requests. For this reason, the web page server has no memory of what pages it has sent to a user previously or anything about your previous visits.
A cookie is a mechanism that allows the server to store its own information about a user on the user's own computer. Cookies stored on your computer's hard drive maintain bits of information that allow web sites you visit to authenticate your identity, speed up your transactions, monitor your behavior, and personalize their presentations for you.
How do cookies work?
When a user visits a site, the site sends a tiny piece of data, called a cookie, which is stored on the user's computer by their browser. The browser sends the cookie back to the server with every request the browser makes to that server, such as when the user clicks a link to view a different page or adds an item to a shopping basket.
The data stored in the cookie lets the server know with whom it is interacting so it can send the correct information back to the user. Cookies are often used by web servers to track whether a user is logged in or not, and to which account they are logged in. Cookie-based authentication is stateful for the duration of multiple requests and has been the default method for handling user authentication for a long time. It binds the user authentication credentials to the user's requests and applies the appropriate access controls enforced by the web application.
A typical example of a cookie use begins with a user entering their login credentials, which the server verifies are correct. The server then creates a session that is stored in a database, and a cookie containing the session ID is returned to the user's browser. On every subsequent request, the browser returns the cookie data, and the session ID is verified by the server against the database; if it is valid, the request is processed. When the user logs out of the site, the session is usually destroyed on both the client and server side, but if the user has checked the “Keep me logged in” or “Remember me” option, the cookie will persist on the user's computer.
How are cookies manipulated / poisoned?
Cookies can be accessed by persons unauthorized to do so due to insufficient security measures. An attacker can examine a cookie to determine its purpose and edit it so that it helps them get user information from the website that sent the cookie.
Cross-site scripting (XSS) injection attacks are a common method used to steal session cookies. If attackers can find a page on a site that is vulnerable to XSS injection, they can insert a script into the page that sends them the session cookie of everyone that views the page. The cookie then enables the attackers to impersonate its rightful owner, enabling them to stay logged in to the victim's account for as long as they want, without ever having to enter a password.
Alternative cookie attacks include predicting, brute force hacking or replicating the contents of a valid authentication cookie. Any such forged cookies would enable the attacker to impersonate a site's genuine users.
How can we prevent cookie poisoning?
As cookie poisoning is fairly easy to do, adequate cookie-poisoning protection should detect cookies that were modified on a client machine by verifying that cookies which are sent by the client are identical to the cookies that were set by the server.
Ingrian Networks has developed a patented platform which provides a means for securing cookies authenticity. When cookies pass through the platform, sensitive information is encrypted. A digital signature is created that is used to validate the content in all future communications between the sender and the recipient. If the content is tampered with, the signature will no longer match the content and will be refused access by the server.
In addition, web applications should be developed so that certain key parameters are not stored within cookies so as to minimize the damage if they are stolen or forged.