Cookies Hacking

Posted by on

    Cookies and Sessions are used to store information. Cookies are only stored on the client-side machine, while sessions get stored on the client as well as a server. Cookies still remain one of the largest areas of computing that the average user just doesn’t understand, and there are myriad different ways that a hacker can take advantage of cookies to steal a user’s personal information. Cookie stealing, which is synonymous with session hijacking, allows an attacker to log into a website that is protected with a user’s username and password by stealing session data in real-time. But before we delve into the different ways of stealing cookies, we first need to understand what a session is and how cookies work.

What is a session?

    A session creates a file in a temporary directory on the server where registered session variables and their values are stored. This data will be available to all pages on the site during that visit.

    A session is a term in computing – more specifically, networking – that gets thrown around a lot, but it can seem like jargon to the aspiring hacker. More importantly, the fifth layer is called the Session layer.

Cookies

    Cookies are small repositories of data that are stored within your web browser by a web server. They are rife with security concerns, and some of them can even track your online activity. Whenever you visit a web site, the cookie stored in your browser serves as a type of ID cad Each additional time you log in or request resources from the same web server, the cookie saved in your browser sends its stored data to the webserver Though cookies make browsing the web a lot more convenient, they do have a lot of security drawbacks. 

Types of Cookies and Security Problems 

    In theory, the only other online entity that can read cookies stored in your browser is the website that stored it there originally. However, it’s surprisingly easy for scripts to mine data from cookies, and there are some exceptionally dangerous types of cookies that are rife with security threats. The problem is that special types of cookies aren’t stored within your browser, so even if you opt for a different web browser (Firefox, Chrome, etc.), the cookie will still be active. If you attempt to delete the cookie but notice that it keeps coming back every time you restart your browser, you’ve discovered a zombie cookie and may need special security software to remove it.

Encrypt cookie data

    HTTP cookies often come from the web server so consider encrypting cookie values. This adds a layer of protection since the browser client can’t decrypt the data. This makes it so that HTTP cookies are meaningful only to the back-end application. Server-side encryption adds more protection because the client can’t sniff the cookies. With encryption, the server becomes the sole source of truth for HTTP cookies. . A good approach is to prevent the client from knowing what the cookie means on the server.  This prevents attackers from sniffing cookie values and crafting attacks on the server. This means there is no need to take the cookie value and assume it is valid on the server. 


 Disclaimer 
    This blog's intent is to spread awareness about Cookies Hacking. We are not responsible if any damage occurs. This is for educational purposes only.

Comments

Post a Comment