Web App Hacking: Cookie Attacks

In this course, you will learn how severe consequences can happen as a result of insecure cookie processing. You will see how cookie attacks work in practice and how to test web applications for various cookie processing flaws.
Course info
Rating
(82)
Level
Beginner
Updated
Aug 22, 2016
Duration
1h 2m
Table of contents
Description
Course info
Rating
(82)
Level
Beginner
Updated
Aug 22, 2016
Duration
1h 2m
Description

Cookies are interesting for attackers because of the sensitive data they store. This course, Web App Hacking: Cookie Attacks, will teach you how to avoid the severe consequences of insecure cookie processing. First, you'll learn how cookies with sensitive data can leak over insecure channel. Next, you'll learn how the attacker can hijack cookies remotely. You'll also learn about weaknesses in cookie lifecycle and see one of the most underestimated cookie attacks - XSS via cookie. Finally, you'll learn how the attacker can tamper remotely with cookies of the user. By the end of the course, you'll know how cookie attacks work in practice and how to test web applications for various cookie processing flaws. What's more, you will learn how to process cookies securely.

About the author
About the author

Dawid Czagan is listed among the Top 10 Hackers by HackerOne. He has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, and other companies. Due to the severity of these bugs, he has received numerous awards for his findings.

More from the author
More courses by Dawid Czagan
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone, my name is Dawid, welcome to my course Web App Hacking Cookie Attacks. I am a security instructor, researcher, and Buck hunter. Cookies are interesting for attackers, because they store sensitive data. In this course you will learn how severe consequences can happen as a result of insecure cookie processing. I will present how cookies with sensitive data can leak over in secure channel. You will see how that attacker can hijack remotely sensitive cookies of the user. I will discuss weaknesses in cookie lifecycle. And I will present one of the most underestimated cookie attacks, XSS via cookie. Finally I will show you how the attacker can tamper remotely with cookies of the user. By the end of the course, you will know how cookie attacks work in practice and how to test web applications for various cookie processing flows. What's more, you will learn how to process cookies securely. I hope you will join me on this journey to learn cookie attacks with the Web App Hacking Cookie Attacks course at Pluralsight.

Leakage of Cookie with Sensitive Data
In this module I will show you how the cookie with sensitive data can leak over insecure channels. You will not only learn how this attack works, but you will also learn how to prevent this attack from happening. First of all, I will describe the difference between HTTP and HTTPS. When browser is communicating with the web application, then the communication can go over HTTP or HTTPS, and we need to understand the difference between them. Then I will discuss one of the optional attributes in set cookie header, secure attribute. This attribute is used to protect the confidentiality of our sensitive cookies. And finally I will show you demo, and in the demo you will see how the leakage of cookie, with sensitive data, can happen in reality.

Cookie Hijacking
In this module I will show you how the attacker can remotely hijack sensitive cookies of the user. First of all, I will introduce you to one of the most prevalent and dangerous attacks, cross-site scripting attack, in short, XSS. When this attack is launched, then the attacker wants to steal session ID of the user. That's why HTTP only attribute was introduced to prevent it from happening. And it will be discussed in the next section. Finally, I will show you demo and in the demo you will see how the attacker can remotely hijack sensitive cookies of the user.

Weaknesses in Cookie Lifecycle
In this module I will discuss weaknesses in cookie lifecycle. First I will discuss the importance of regeneration, you will learn why it is so important to regenerate sensitive cookies. Then I will show you a demo and in the demo you will see how the attacker can impersonate a user when cookie with session ID is not regenerated at the time of authentication. Then you will learn about server-side invalidation and why it is so important subject. I will discuss the significant difference between invalidation of cookie with session ID on the server side and deletion of this sensitive cookie from users browser. Finally, I will show you another demo in this demo you will see how to get access to the account of the logged out user, when cookie with session ID is not invalidated on the server side at the time of logging out.

Underestimated Risk: XSS via Cookie
In this module I will discuss one of the most underestimated cookie attacks, XSS via cookie. I introduced XSS attack in one of the previous modules, in this module I will focus on XSS via cookie. In other words, XSS attack, which is executed as a result of insecure cookie processing. Many people claim that this attack can only be executed locally, because in their opinion the attacker cannot set a cookie remotely in a cookie jar of the user. But this is not true and I will show you in this module how the attacker can use cross origin exploitation to launch XSS via a cookie remotely. I will also show you a demo and in the demo you will see how cross origin exploitation works in practice. Finally, I will discuss how to prevent XSS via cookie from happening.

Remote Cookie Tampering
In this module you will learn how the attacker can use browser dependent exploitation to tamper remotely with cookies of the user. First I will explain why browser dependent exploitation is interesting from attackers point of view. Then I will discuss how comma separated list of cookies can be used in Safari to tamper remotely with cookies of the user. And in the demo you will see how this attack works in practice. Finally, the countermeasure for this attack will be discussed.