What is Cookie Poisoning?
Cookie poisoning attacks are a process involving the manipulation and forging of cookies, designed to achieve illicit access to web applications. Hackers conducting cookie poisoning can forge cookies and gain legal access to other user accounts. This malicious practice is a very popular strategy used by hackers engaging in identity theft.
So, how can hacker poison a cookie?
Cookies are common elements in web applications and their usage involves saving information (e.g. account numbers, user ID, time stamp, passwords, etc). The saved information is stored in the user’s hard drive. Ideally, access to the stored information is limited only to the user. Simply put, cookies are used to save crucial user information, and are stored on the user’s computer system. While visiting certain websites, visitors are asked for authentication. The username and password submitted by the user are validated by a login CGI (a program), and once validated, a cookie is stored in the user’s browser, which contains a numerical identifier to the submitted information. Aside from username and password, cookies can be used to store e-mail addresses, telephone numbers, names, and work and home addresses. For example, a customer seeking to purchase a watch visits a website that sells watches. The customer logs in using the name “Smith”. During the transaction, the website stores a cookie that contains “Smith’s” personal information on “Smith’s” computer. A hacker can subsequently cause serious damage if he examines the cookie and edits it to his advantage. Generally, hackers take the original cookie (e.g. “Smith”), and edits or reworks it to change it to “Jones”. The cookie is then re-encrypted by the actions of the hacker and the website now recognizes Smith as Jones.
How can cookie poisoning manipulations cause damage to your web applications? Through cookie poisoning, a hacker gets access to user accounts and the secured information within the account. Secure and sensitive information can also be stored in this way. As a result of cookie poisoning fraud, both the consumer and the website can face financial losses.
What we can do
Please contact us for further information.
© 2012 Toronto Professional services LTD. All rights reserved