Bug Bounty Hunting Essentials
上QQ阅读APP看书,第一时间看更新

Protecting the cookies

Due to cookies being fully controllable from the client side, there are mechanisms to protect them from malicious modification:

  • Secure: This is a header flag that could be included in the application server when a cookie is sent by the HTTP response. It used to protect the cookie from channel interception. Basically, the use of this flag forces the applications to send cookies just for HTTPS connections.
  • HttpOnly: This is a flag included in the header's response to avoid scripting attacks to extract information from the cookies. For example, in the past, it was very common use cross-site scripting (XSS) attacks to extract information from cookies using JavaScript. Using HttpOnly, just the cookie could be consulted by the browser, and not by external scripts.

These controls can prevent some attacks, but what happens if the original application is doing an unexpected action while you have a session established with it? Is it possible? Yes, for sure, and it is not an error from the application's point of view.