Back

Unsecured HTTP cookies

By
Rejah Rehim
Published on
24 Jun 2018
1 min read
Cookies

cookies are used to manage state, handle logins or simply to track you for advertising purposes and should be kept safe. The process involved in setting cookie are:-

  1. The server asks the user’s browser to set a cookie.
  2. It gives a name, value and other parameters.
  3. Browser stores the data in disk or memory. This depends on the cookie type.

Each request to the website sends the cookies along with the request. The major vulnerability with cookies are:-

  • Cookies are not protocoled specific. That is, a cookie set on the HTTPS website will also be accessible to the HTTP version.
  • Cookies can be accessed by JavaScript on the browser. So if a hacker gets to run specific intrusion JavaScript on your website. Then your cookies can be read by the hacker. This can be done using XSS.

Cookies set by this server are without the secure flags. This leads any HTTP link to the same server will result in the cookie being sent in clear text. The cookies may contain any sensitive information causing a high risk of vulnerability.

Impact

The impact of this vulnerability include:-

  • Huge data breach
  • Possible manipulation of application’s sensitive information

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Set a secure flag as allowed through an encrypted channel (HTTPS).
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.
Product tour
Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.
Product tour