Home > CAPEC List > CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies (Version 2.11)  

CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies

Accessing/Intercepting/Modifying HTTP Cookies
Definition in a New Window Definition in a New Window
Attack Pattern ID: 31
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.

+ Attack Steps
  1. Obtain copy of cookie: The adversary first needs to obtain a copy of the cookie. The adversary may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies.

    Obtain cookie from local filesystem (e.g. C:\Documents and Settings\*\Cookies and C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.txt in Windows)

    Sniff cookie using a network sniffer such as Wireshark

    Obtain cookie from local memory or filesystem using a utility such as the Firefox Cookie Manager or AnEC Cookie Editor.

    Steal cookie via a cross-site scripting attack.

    Guess cookie contents if it contains predictable information.

  1. Obtain sensitive information from cookie: The adversary may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them.

    If cookie shows any signs of being encoded using a standard scheme such as base64, decode it.

    Analyze the cookie's contents to determine whether it contains any sensitive information.

  2. Modify cookie to subvert security controls.: The adversary may be able to modify or replace cookies to bypass security controls in the application.

    Modify logical parts of cookie and send it back to server to observe the effects.

    Modify numeric parts of cookie arithmetically and send it back to server to observe the effects.

    Modify cookie bitwise and send it back to server to observe the effects.

    Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a "points balance" for a given user where the points have some value. The user may spend his points and then replace his cookie with an older one to restore his balance.

+ Attack Prerequisites
  • Target server software must be a HTTP daemon that relies on cookies.

  • The cookies must contain sensitive information.

  • The adversary must be able to make HTTP requests to the server, and the cookie must be contained in the reply.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Modification of Resources
  • API Abuse
  • Protocol Manipulation
  • Time and State
+ Examples-Instances


There are two main attack vectors for exploiting poorly protected session variables like cookies. One is the local machine itself which can be exploited directly at the physical level or indirectly through XSS and phishing. In addition, the man in the middle attack relies on a network sniffer, proxy, or other intermediary to intercept the subject's credentials and use them to impersonate the digital subject on the host. The issue is that once the credentials are intercepted, impersonation is trivial for the adversary to accomplish if no other protection mechanisms are in place.

Related Vulnerabilities

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To overwrite session cookie data, and submit targeted attacks via HTTP

Skill or Knowledge Level: High

Exploiting a remote buffer overflow generated by attack

+ Resources Required

A utility that allows for the viewing and modification of cookies. Many modern web browsers support this behavior.

+ Solutions and Mitigations

Design: Use input validation for cookies

Design: Generate and validate MAC for cookies

Implementation: Use SSL/TLS to protect cookie in transit

Implementation: Ensure the web server implements all relevant security patches, many exploitable buffer overflows are fixed in patches issued for the software.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Read application data
Modify application data
Gain privileges / assume identity
+ Injection Vector

HTTP cookie

+ Payload

Malicious input delivered through cookie in HTTP Request.

+ Activation Zone

Client software, such as a browser and its component libraries, or an intermediary

+ Payload Activation Impact
  1. Enables adversary to leverage state stored in cookie
  2. Enables adversary a vector to attack web server and platform
+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
+ References
[R.31.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-01-09Updated Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Payload_Activation_Impact, Resources_RequiredInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017