Cookies are used to manage state, handle logins or to track you for advertising purposes and should be kept safe. The process involved in setting a cookie is:-
The server asks your browser to set a cookie.
It gives a name, value and other parameters.
Browser stores the data in disk or memory. This feature depends on the cookie type.
If the cookies are not set as secure, the browser will then send the cookie as a plain text through the communication channel. The attacker can intercept this communication to access sensitive information. To exploit this vulnerability, the attacker must position himself at the correct position to eavesdrop the communication. This attack is possible when the user uses an insecure connection like public WiFi or office with a compromised system.
Using this vulnerability, an attacker can:-
redirect the user to a malicious site to steal information/data.
show user false data which will, in turn, affect the credibility of the website.
Beagle recommends the following fixes:-
Java supports secure flag in Cookie interface. Methods setSecure and isSecure can be used to set and check for a secure value in cookies.
Add the following code in web.xml
Add a custom header:
Insert the following in web.config:
Add the following line in php.ini:
If the script is via a function.: