cookies are used to manage state, handle logins or simply to track you for advertising purposes and should be kept safe. The process involved in setting cookie are:-
- The server asks the user’s browser to set a cookie.
- It gives a name, value and other parameters.
- Browser stores the data in disk or memory. This depends on the cookie type.
Each request to the website sends the cookies along with the request. The major vulnerability with cookies are:-
- Cookies are not protocoled specific. That is, a cookie set on the HTTPS website will also be accessible to the HTTP version.
- Cookies can be accessed by JavaScript on the browser. So if a hacker gets to run specific intrusion JavaScript on your website. Then your cookies can be read by the hacker. This can be done using XSS.
Cookies set by this server are without the secure flags. This leads any HTTP link to the same server will result in the cookie being sent in clear text. The cookies may contain any sensitive information causing a high risk of vulnerability.
Impact
The impact of this vulnerability include:-
- Huge data breach
- Possible manipulation of application’s sensitive information
Mitigation / Precaution
Beagle recommends the following fixes:-
- Set a secure flag as allowed through an encrypted channel (HTTPS).
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.