-
Cross-Site Scripting
- 1. Assume that value of the Cookie Parameter "Name" is reflected in the application.
- 2. Change the "Name" value to "XSS Payload" and it may result into a XSS.
-
Insufficient Session Management
-
Session Doesn't Expire on Logout
- On Server-Side Only
- Both Server-Side & Client-Side
- Long Session Expiry
- Session Doesn't Expire on Password Reset/Change
- Concurrent Session
-
Session Fixation
- An attacker tricks the victim user to use a Session Identifier which is known to the attacker.
- Read: https://secureteam.co.uk/articles/web-application-security-articles/understanding-session-fixation-attacks/
-
Privilege Escalation
-
Horizontal
- 1. Assume that the application uses Multi-Organization Model.
- 2. Cookies are used to define which organization a user can access.
- 3. Alter the Cookies in order to Access some other Organization.
-
Vertical
- 1. Assume that the cookies are used to determine the "Role" of the User.
- 2. Alter the Cookies in order to Elevate the "Role" of the User.
- Similarly, Try if the Lower user's cookies can be used to access Higher User's Functions or Try if the cookies of Organization 1 user can be used to Access functions of Organization 2.
-
Insecure Direct Object Reference
- 1. If the cookies are using some access defining parameter such as "user_id"
- 2. Change the value of these parameter in order to check if you can access other user's data.
-
Missing Cookie Security Attributes
- Missing HTTPOnly Flag
- Missing Secure Flag
- Missing Same-Site Flag
-
Guessable/Weak Cookie
- 1. Check if the cookies are not generated Randomly by issues multiple cookies and analyzing them.
- 2. Check if some weak/known cryptography is used. Let's assume the cookies are using Base64 Encoding and can be decoded/forged easily.
-
Session Puzzling
- 1. When an application utilizes the same session variable for multiple purposes, this can be abused by an attacker to trick the application and perform the action as an authenticated or privileged user.
- 2. Read: https://github.com/harsh-bothra/learn365/blob/main/days/day17.md
-
File Inclusion
- 1. If a cookie is used to define some server-side attribute that can be controlled by a user, try for File Inclusion Attacks.
- Read: https://medium.com/@tehmezovismayil/cookie-based-php-local-file-inclusion-bug-bounty-553f8b38d4dc
-
Padding Oracle Attack
- Read: https://book.hacktricks.xyz/pentesting-web/hacking-with-cookies#advanced-cookies-attacks
-
CBC-MAC/ECB Encryption
- Read: https://book.hacktricks.xyz/pentesting-web/hacking-with-cookies#advanced-cookies-attacks
-
Authentication Bypass (Cookies are not Validated)
- 1. Try accessing a protected resource by removing cookies.
-
Parameter Pollution
- 1. Assume that the cookies utilize a parameter called "user_id=" to retrieve some data.
- 2. However, the application is not vulnerable to IDOR and changing "user_id=" to victim value, doesn't help out.
- 3. Attacker, add an additional "user_id=" parameter value to the cookie with victim's user ID. Like: "user_id=attacker&user_id=victim"
- 4. Three things can happen here:
- The application may retrieve data of Victim User.
- The Application may retrieve data of both Attacker & Victim User.
- The Application is not vulnerable and doesn't return anything.
-
SQL Injection
- Read: https://resources.infosecinstitute.com/topic/cookie-based-sql-injection/
-
Denial of Service - Cookie Bomb
- 1. Forcing the server to process cookies larger than the restricted cookie size defined by the server may cause Denial of Service Attack.
- Read: https://blog.innerht.ml/tag/cookie-bomb/
-
Mass Assignment
- 1. Similar to the Parameter Pollution, However, in this, Attacker tried to Inject multiple User ID in same user_id parameter.
-
Arbitrary Cookie Injection
- 1. Try Injecting some Arbitrary Cookies using Attacks such as CRLF Injection.
- 2. Sometimes it can be used to escalate privilege or if the application malfunction, it can reveal sensitive information through Stack Traces.
-
Insecure Deserialization
- 1. If cookies are using Serialized Objects, try performing Insecure Deserialization Checks.
- Read: https://portswigger.net/web-security/deserialization/exploiting
-
Cookie Length Violation
- It may cause attacks such as Buffer Overflows
- Read: https://docs.imperva.com/bundle/on-premises-knowledgebase-reference-guide/page/cookie_value_length_violation.htm
-
Session Donation
- Read: https://book.hacktricks.xyz/pentesting-web/hacking-with-cookies#session-donation
-
Sensitive Data Stored in Cookies
- Check if any PII or Other Sensitive Information Stored in Cookies
- This information usually includes: Email, Date of Birth, Mobile, Address, SSN, Etc.
- Created By: Harsh Bothra
Twitter: @harshbothra_