Cookie Tampering

EXPLOITATION

Cookie tampering is a way to edit cookies in server requests to gain access to resources that would otherwise not be available.

For more general info about cookie mechanisms through a pen testing lens, check out this article.

DECODING AND ENCODING

Many times, cookies are encoded using base32 or base64 to convert binary data into human-readable characters. If a cookie is encoded it may look like a string of random letters and numbers, instead of readable values.

Encoding, unlike hashing, isn't a security function. This means that you can easily decode and encode values using online tools that can encode and decode base32 and base64 values to decode an encoded cookie into something that can be read and modified.

You can also use those same tools to encode the modified cookie values back to an encoded string before sending the tampered request.

SESSION HIJACKING

Since cookies can be used to store session information such as login credentials, it is possible to hijack a user's browser session along with any saved information from that session between the client and server by stealing their cookies and sending them to the target web server to impersonate as this user.

The server will read the cookies and think it's the other user's session, granting you the same information their cookies would have. Check out this article for an ultimate guide to session hijacking using cookies.

SESSION FIXATION

Unlike session hijacking, session fixation is a type of attack that allows an attacker to establish a session on the victim's computer before the user accesses a website using sensitive information. This session ID can then be accessed by the attacker to see the victim's information.

There are several ways that a session fixation attack can be executed.


  • URL Argument

One common way is that an attacker gets a cookie from the target web app and then sends that session ID via a link to the victim so that the victim logs in with the attacker's cookie. The victim then could provide their login credentials or other sensitive information that will be saved in that session. Since the attacker was the one who sent the cookie, they already know the session ID and can access the user's account and see any information that was saved when the victim signed in using the previously established session.


  • Client-side scripting

The attacker could use code injection in an XSS attack to insert code in the hyperlink sent to the victim. This code could fix a session ID in its cookie.


  • Packet interception

If an attacker is able to establish a connection in the middle of the client's browser and the web server, they would be able to intercept the HTTP headers and manipulate the server response by inserting the Set-Cookie parameter and thus fixing whatever session ID the attacker wants between the victim's browser and the webserver.


OWASP has a comprehensive guide on session fixation here.

SESSION DONATION

In this type of attack, the attacker already establishes a session with the webserver and sends their own session to the victim. The victim will believe they are already logged into their own account but anything they do in that session will be performed in the attacker's account, allowing the attacker to gain valuable information.

COOKIE MANIPULATION

Sometimes certain parameters such as whether a user's session should be given admin privileges can be visible in cookies and if the web app is not set up securely, it could be possible for an attacker to modify cookies they send and even override other considerations that could give precedent to the cookies' value.

For more general information about cookies hacking, check out this resource.