CAPEC - CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies (Release 1.4)

Home > CAPEC List > CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies (Release 1.4)

CAPEC List
Full CAPEC Dictionary
Methods of Attack View

About CAPEC
Documents
Resources

Community
Related Activities
Collaboration List

News & Events
Calendar
Free Newsletter

Contact Us
Search the Site

CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies

Accessing/Intercepting/Modifying HTTP Cookies

Attack Pattern ID: 31 (Detailed Attack Pattern Completeness: Complete)

Typical Severity: High

Status: Draft

Description

Summary

This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems.

The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein.

The second form of this attack involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the attacker to impersonate the remote user/session.

The third form is when the cookie's content is modified by the attacker before it is sent back to the server. Here the attacker seeks to convince the target server to operate on this falsified information.

Attack Execution Flow

Explore

Obtain copy of cookie:

The attacker first needs to obtain a copy of the cookie. The attacker may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies.

Attack Step Techniques

ID	Attack Step Technique Description	Environments
1	Obtain cookie from local filesystem (e.g. C:\Documents and Settings\\Cookies and C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\*\cookies.txt in Windows)	env-Web
2	Sniff cookie using a network sniffer such as Wireshark	env-Web
3	Obtain cookie from local memory or filesystem using a utility such as the Firefox Cookie Manager or AnEC Cookie Editor.	env-Web
4	Steal cookie via a cross-site scripting attack.	env-Web
5	Guess cookie contents if it contains predictable information.	env-Web

Indicators

ID	type	Indicator Description	Environments
1	Positive	Cookies used in web application.	env-Web
2	Negative	Cookies not used in web application.	env-Web

Outcomes

ID	type	Outcome Description
1	Success	Cookie captured by attacker.
2	Failure	Cookie cannot be captured by attacker.

Security Controls

ID	type	Security Control Description
1	Preventative	To prevent network sniffing, cookies should be transmitted over HTTPS and not plain HTTP. To enforce this on the client side, the "secure" flag should be set on cookies (javax.servlet.http.Cookie.setSecure() in Java, secure flag in setcookie() function in php, etc.).

Experiment

Obtain sensitive information from cookie:

The attacker may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them.

Attack Step Techniques

ID	Attack Step Technique Description	Environments
1	If cookie shows any signs of being encoded using a standard scheme such as base64, decode it.	env-Web
2	Analyze the cookie's contents to determine whether it contains any sensitive information.	env-Web

Indicators

ID	type	Indicator Description	Environments
1	Negative	Cookie only contains a random session ID (e.g. ASPSESSIONID, JSESSIONID, etc.)	env-Web
2	Positive	Cookie contains sensitive information (e.g. "ACCTNO=0234234", or "DBIP=0xaf112a22" -- database server's IP address).	env-Web
3	Inconclusive	Cookie's contents cannot be deciphered.	env-Web

Outcomes

ID	type	Outcome Description
1	Success	Cookie contains sensitive information that developer did not intent the end user to see.
2	Failure	Cookie does not contain any sensitive information.

Security Controls

ID	type	Security Control Description
3	Preventative	Do not store sensitive information in cookies unless they are encrypted such that only the server can decrypt them.

Modify cookie to subvert security controls.:

The attacker may be able to modify or replace cookies to bypass security controls in the application.

Attack Step Techniques

ID	Attack Step Technique Description	Environments
1	Modify logical parts of cookie and send it back to server to observe the effects.	env-Web
2	Modify numeric parts of cookie arithmetically and send it back to server to observe the effects.	env-Web
3	Modify cookie bitwise and send it back to server to observe the effects.	env-Web
4	Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a "points balance" for a given user where the points have some value. The user may spend his points and then replace his cookie with an older one to restore his balance.	env-Web

Outcomes

ID	type	Outcome Description
1	Success	Subversion of security controls on server
2	Failure	Cookie reset by server

Security Controls

ID	type	Security Control Description
1	Detective	Web server logs contain many messages indicating that invalid cookies were received from client.
2	Preventative	Cookies should not contain any information that the user is not allowed to modify, unless that information is never expected to change. In the latter case, the integrity of the cookie should be protected using a digital signature or a message authentication code.

Attack Prerequisites

Target server software must be a HTTP daemon that relies on cookies.

Typical Likelihood of Exploit

Likelihood: High

Methods of Attack

Modification of Resources
API Abuse
Protocol Manipulation
Time and State

Examples-Instances

Description

There are two main attack vectors for exploiting poorly protected session variables like cookies. One is the local machine itself which can be exploited directly at the physical level or indirectly through XSS and phising. In addition, the man in the middle attack relies on a network sniffer, proxy, or other intermediary to intercept the subject's credentials and use them to impersonate the digital subject on the host. The issue is that once the credentials are intercepted, impersonation is trivial for the attacker to accomplish if no other protection mechanisms are in place.

Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To overwrite session cookie data, and submit targeted attacks via HTTP

High: Exploiting a remote buffer overflow generated by attack

Resources Required

Ability to send HTTP request containing cookie to server

Solutions and Mitigations

Design: Use input validation for cookies

Design: Generate and validate MAC for cookies

Implementation: Use SSL/TLS to protect cookie in transit

Implementation: Ensure the web server implements all relevant security patches, many exploitable buffer overflows are fixed in patches issued for the software.

Attack Motivation-Consequences

Information Leakage
Data Modification
Privilege Escalation

Injection Vector

HTTP cookie

Payload

Malicious input delivered through cookie in HTTP Request.

Activation Zone

Client software, such as a browser and its component libraries, or an intermediary

Payload Activation Impact

1. Enables attacker to leverage state stored in cookie

2. Enables attacker a vector to attack web server and platform

Related Weaknesses

CWE-ID	Weakness Name	Weakness Relationship Type
565	Use of Cookies in Security Decision	Targeted
302	Authentication Bypass by Assumed-Immutable Data	Targeted
113	Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')	Targeted
539	Information Leak Through Persistent Cookies	Targeted
20	Improper Input Validation	Targeted
315	Plaintext Storage in a Cookie	Targeted
384	Session Fixation	Targeted
472	External Control of Assumed-Immutable Web Parameter	Secondary
724	OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management	Targeted
602	Client-Side Enforcement of Server-Side Security	Targeted
642	External Control of Critical State Data	Targeted

Related Attack Patterns

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Attack Pattern	39	Manipulating Opaque Client-based Data Tokens	Mechanism of Attack1000
ChildOf	Attack Pattern	21	Exploitation of Session Variables, Resource IDs and other Trusted Credentials	Mechanism of Attack (primary)1000
ChildOf	Category	255	Data Structure Attacks	Mechanism of Attack (primary)1000
ChildOf	Attack Pattern	117	Data Interception Attacks	Mechanism of Attack (primary)1000
ChildOf	Category	262	Resource Manipulation	Mechanism of Attack (primary)1000

Purposes

Exploitation

CIA Impact

Confidentiality Impact: High

Integrity Impact: High

Availability Impact: Low

Technical Context

Architectural Paradigms	Client-Server n-Tier
Frameworks	All
Platforms	All
Languages	All

References

G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.

Content History

Submissions
Submitter	Organization	Date
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.	Cigital, Inc	2007-01-01

Modifications
Modifier	Organization	Date	Comments
Gunnar Peterson	Cigital, Inc	2007-02-28	Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean Barnum	Cigital, Inc	2007-03-09	Review and revise
Richard Struse	VOXEM, Inc	2007-03-26	Review and feedback leading to changes in Name and Description
Sean Barnum	Cigital, Inc	2007-04-13	Modified pattern content according to review and feedback
Amit Sethi	Cigital, Inc.	2007-10-29	Added extended Attack Execution Flow

Page Last Updated: September 23, 2009


	CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. Vision and Technical Leadership provided by Cigital, Inc. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us