Cookies are used to manage state, handle logins or to track you for advertising purposes and should be kept safe. The process involved in setting cookie are:-
- The server asks your browser to set a cookie.
- It gives a name, value and other parameters.
- Browser stores the data in disk or memory. This feature depends on the cookie type.
If a secure flag is set in a cookie, then the browsers will not submit the cookie in through an unencrypted HTTP connection. This prevents the cookie from being intercepted by an attacker monitoring the communication. If the secure flag is not set, then the cookie will be transmitted as a clear-text to the user. An attacker can exploit this vulnerability by sending the end users with malicious links. An attacker can use links of the form http://example.beaglesecurity.com:777/ to perform a malicious attack on the user.
An attacker can successfully attack a user if he gets access to the communication channel. This attack is possible when an end user accesses a website through public access points such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defences such as switched networks are not sufficient to prevent this. An attacker situated in the user’s ISP or the application’s hosting infrastructure could also perform this attack.
Impact
Using this vulnerability, an attacker can.
- redirect the user to a malicious site to steal information/data.
- show user false data which will, in turn, affect the credibility of the website.
Mitigation / Precaution
Beagle recommends that the secure flag should be set on all cookies transmits sensitive data. Especially when accessing content over HTTPS. The user session tokens should never be transmitted over unencrypted communications. If the cookies transmit session tokens, the application that is accessed over HTTPS should employ a session handling mechanism.
