- About
Company Profile - White Paper
IT Security Articles - why focus on
Security?
Security is Important - Services
How Can We Help
You? - Contact
Contact details
Cookie Poisoning
Cookie poisoning attacks result in manipulation and forging of cookies, in order to achieve illicit access to web applications. A hacker conducting cookie poisoning can forge cookies and gain legal access to the account of another user. Such malicious practice is quite popular among hackers who indulge in identity theft.
What are cookies and how can a hacker poison a cookie? Cookies are common elements in several web applications and its usage involves saving information (e.g. account numbers, user ID, time stamp, passwords, etc). The saved information is banked in the user’s hard drive and the access to the stored information is limited to the user. To put it in simple terms, a cookie is used to save crucial user information, and is stored in the user’s machine. While visiting a particular website a visitor is often asked for authentication. The username and password submitted by him is validated by a login CGI (a program), and finally a cookie is stored in the user’s browser, which contains a numerical identifier to the submitted information. Apart from username and password, cookies can be used to store e-mail address, telephone number, name, and work and home address. For example, a customer engaged in the transaction of watches visits a watch selling website and logs in using the name Smith. During the transaction the website stores a cookie in the user’s computer. A clever hacker can cause serious damage if he examines the cookie and edits it to his advantage. A hacker in general takes the original cookie (for e.g. named as Smith) and edits it or reworks on it (to change it to Jones). The cookie is thus re-encrypted by the hacker and now the website recognizes Smith as Jones.
So, how can cookie poisoning cause damage to your web applications? Through cookie poisoning, a hacker gets access to a user’s accounts and other secured information in the account. Secured and sensitive information can also be stored in this way. As a result of such fraud, both the consumer and the website can face financial losses.
More...