Testing for cookies attributes (OTG-SESS-002)

Revision as of 23:12, 7 June 2008 by Khorvath (talk | contribs) (Description of the Issue)

Jump to: navigation, search

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

This is a draft of a section of the new Testing Guide v3

Brief Summary

Cookies are often a key attack vector for malicious users (typically targeting other users) and as such the application should always take due diligence to protect these cookies. In this section we will look at how an application can take the necessary precautions when assigning cookies and how to test that these attributes have been correctly configured.

Description of the Issue

The importance and secure use of Cookies cannot be understated, especially within dynamic web applications which need to maintain state across a stateless protocol such as HTTP. To understand the importance of cookies it is imperative to understand what they are primarily used for. These primary functions usually consist of being used as a session authorization/authentication token and/or as a temporary data container. Thus if an attacker by some means was able to acquire a session token such as by cross site scripting (XSS) or sniffing an unencrypted session then they could use this cookie to hijack a valid current session. Additionally cookies are set to maintain state across multiple requests. Since HTTP is stateless the server can not determine if a request it receives is part of a current session or the start of a new session without some type of identifier. This identifier is very commonly a cookie although not always. As you can imagine there are many different types of applications that need to keep track of session state across multiple request. The primary one that comes to mind would be an online store. As a user adds multiple items to a shopping cart this data needs to be retained in subsequent requests to the application. Cookies are very commonly used for this task and are set by the application using the Set-Cookie directive in the applications HTTP response, and is usually in a name=value format (if cookies are enabled and if they are supported, which is the case for all modern web browsers). Once an application has told the browser to use a particular cookie the browser will send this cookie in each subsequent request. A cookie can contain data such as items from an online shopping cart, the price of these items, the quantity of these items, personal information, user IDs, etc. Due to the sensitive nature of information in cookies they are typically encoded or encrypted in an attempt to protect this information. Many times multiple cookies will be set (separated by a semicolon) upon subsequent request especially in the case of an online store as you add multiple items to your shopping cart. Additionally you will typically have a cookie for authentication (session token as indicated above) once you login and multiple others cookies used to identify the items you wish to purchase and their auxiliary information (ie price, quantity, etc) in the online store type of application.

Now that you have an understanding of how cookies are set, when they are set, what they are used for, why they are used, and their importance; lets take a look at what attributes can be set for a cookie and how to test if they are secure. The following is a list of the attributes that can be set for each cookie and what they mean. The next section will focus on how to test for each attribute.

  • secure -
  • HttpOnly -
  • domain -
  • path -
  • expires -

Black Box testing and example

Testing for Topic X vulnerabilities:
Result Expected:

Gray Box testing and example

Testing for Topic X vulnerabilities:
Result Expected:



  • Intercepting Proxy
  • Browser Plug-in