Cookie hijacking attack
HTTP is a stateless protocol, in order to maintain and track the user’s state, the introduction of the Cookie and Session.
First introduced with Netscape 0.9 on October 13, 1994, a cookie is a small amount of text-only data saved on your computer while you browse a certain website. This information can be used by websites to help create custom pages for you upon your return visits or save session information. For example, when you put items into an online shopping cart, cookies allow the host site to save them for when you log back in at a later date.
Are cookies safe?
If you’re concerned about web pages gathering information about your viewing habits, you can disable cookies or increase browser security to prompt you before any cookie is created. However, keep in mind some web pages require cookies to be enabled to work.
What is a tracking cookie?
A tracking cookie is one that is used by Internet advertisers and marketing companies. It contains unique information about your computer and browsing history, which is used by the company to deliver advertisements it believes you’d be most interested in viewing.
Another type of tracking cookie is a third-party cookie. These types of cookies are added to a computer by a website or company other than that for which the cookie is used. For example, the cbs.com website has a button for liking them on Facebook. Clicking the Facebook Like button on cbs.com adds a Facebook cookie to your computer. Because the cookie for Facebook came from cbs.com, the cookie is considered a third-party tracking cookie.
Why do anti-spyware programs warn me about tracking cookies?
Because these cookies can track your computer, they can be considered an invasion of privacy. It’s up to you to decide if you want to save or delete these files. Apart from the potential privacy concerns, tracking cookies pose no threat to your computer and do not contain malware or viruses.
A session begins when a user logs in to or accesses a particular computer, program or web page and ends when the user logs out of or shuts down the computer, closes the program or web page. A session can temporarily store information related to the activities of the user while connected. A session cookie is used in web pages for storing information in case the user leaves the web page or closes down their Internet browser. For example, this is one way a website can remember what is in your shopping cart if you leave and come back.
In computer programming, session variables are used to store temporary information, sometimes to use for retrieving and viewing data on multiple web pages. Websites requiring a username and password use session variables to help transfer data between web pages, but only while the user is logged into the computer.
The attacker submitted the data of the tape label, the data stored in the server side, and the administrator login, accidentally click on the link, it will own the cookie information, posted to the hacker set the URL.
With this session-id, the attacker can gain administrator privileges within the session’s lifetime, and because the attack data has been added to the database , as long as the attack data is not deleted, then the attack is likely to take effect, is persistent.
Based on XSS attacks, steal cookie information, and impersonate others. You can view demo video
How does the server prevent it?
- Add the HttpOnly attribute to the cookie, this property is set, can only be passed in the http request, in the script, document.cookie can not get to the Cookie value. XSS attack, there is a certain defense value.But the network interception, Or leaked.
- In the cookie to add the check information, the check information and the current user external environment some relationship, such as ip, user agent, etc. So when the cookie was hijacked, and fraudulent use, but in the server-side verification, Found that the check value has changed, so ask to re-login, this is a good idea, to avoid cookie hijacking.
- Cookie session id of the regular replacement, so session id by a certain frequency conversion, while the user, the operation is transparent, so to ensure the consistency of the service experience.