3 important things to know about cookie security
The main risk with unprotected cookies is user impersonation. This occurs when malicious actors exfiltrate sensitive session/authentication tokens that have been stored in cookies, leading to the theft of credentials and personally identifiable information (PII), as well as card fraud credit. These types of attacks are typically the result of cross-site scripting (XSS), cross-site request forgery (CSRF), and network eavesdropping.
In this blog, we’ll look at cookie security and why organizations should be concerned, especially when it comes to user access tokens that are stored in cookies. We will also offer some thoughts on what companies can do to identify and improve cookie security risks.
HTTP & HTTPS and cookie security
As the primary protocol for transferring data on a network, the majority of information that travels over HTTP is communicated using the rules and definitions established by HTTP. By default, HTTP works without encryption. All data exchanged between two parties is in plain text, and any third party viewing or “listening” to this data exchange can easily read the content. The types of information transferred over HTTP can range from cookies to content and API calls.
HTTPS is the secure version of HTTP and uses SSL/TLS by default to encrypt HTTP requests and responses.
So, instead of seeing something like this over unencrypted HTTP:
GET /greeting.txt HTTP/1.1
User-Agent: curl/7.63.0 libcurl/7.63.0 OpenSSL/1.1.l zlib/1.2.11
An attacker sees something like this with HTTPS:
Web applications use HTTP cookies (a web cookie or a browser cookie) for three main reasons: session management, personalization, and tracking. Cookies are used to indicate whether multiple requests come from the same browser, for example, to keep a user logged in.
Even with most web applications now only running in HTTPS mode, misconfigurations can still occur exposing an unprotected HTTP version of an API.
There are three main ways to secure cookies so that they cannot be viewed intentionally or unintentionally by a third party: the Secure attribute, the SameSite attribute and the HTTPOnly attribute.
To prevent cookie theft using man-in-the-middle or eavesdropping attacks that target unprotected HTTP cookies, developers and security professionals use what is calls the “secure flag” to ensure that cookies are only transmitted using a secure connection (SSL/HTTPS). This means that a web browser will never pass a cookie if the connection is only set to HTTP. To set a “secure flag”, the developer or security professional must set it during an HTTPS connection, otherwise the security setting is ignored.
Since most web applications now only work in HTTPS mode, the “secure flag” settings might seem a bit meaningless, since no significant communication should take place over the HTTP protocol. However, as mentioned earlier, misconfiguration in a web application can expose an unprotected HTTP version of an API, in which case the “secure flag” setting is useful.
This setting is also useful to prevent common eavesdropping attacks that target unprotected HTTP cookies.
Set-Cookie: sessionid=MqUckOwtyxZ9; HttpOnly; Secured
Example of setting the above cookie in PHP:
setcookie(“session id”, “MqUckOwtyxZ9”, [‘httponly’ => true, ‘secure’ => true]);
It is important to note that while Secure Flag can prevent man-in-the-middle cookie theft or eavesdropping attacks, Secure Flag does not protect against cross-site scripting (XSS) or cross-site request forgery attacks. (CSRF).
HTTP only flag
The HTTPOnly flag is useful for adding a layer of protection against malicious actors who attempt to steal personal access tokens located in cookies, allowing them to impersonate a specific user.
The SameSite flag is an auxiliary flag that provides some defense and control against cross-site request forgery (CSRF) attacks. However, the SameSite flag will not protect all actions in a CSRF. For example, malicious CSRF code could attempt to initiate a GET/POST request (which may circumvent the browser’s same-origin policy). The attack could then perform malicious actions on the site to which the user is connected.
Automated script protection
The post 3 Important Things to Know About Cookie Security appeared first on Feroot.
*** This is a syndicated blog from Feroot’s Security Bloggers Network written by Breno Torres. Read the original post at: https://www.feroot.com/blog/3-important-things-to-know-about-cookie-security/