Testing for cookies attributes (OTG-SESS-002)
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
This is a draft of a section of the new Testing Guide v3
Cookies are often a key attack vector for malicious users (typically targeting other users) and as such the application should always take due diligence to protect these cookies. In this section we will look at how an application can take the necessary precautions when assigning cookies and how to test that these attributes have been correctly configured.
Description of the Issue
Now that you have an understanding of how cookies are set, when they are set, what they are used for, why they are used, and their importance; let's take a look at what attributes can be set for a cookie and how to test if they are secure. The following is a list of the attributes that can be set for each cookie and what they mean. The next section will focus on how to test for each attribute.
- secure - This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests.
If the application can be accessed over both HTTP and HTTPS then there is the potential that the cookie can be sent in clear text.
- domain - This attribute is used to compare against the domain of the server in which the URL is being requested. If the domain matches or if it is a sub-domain then the path attribute will be checked next.
Note that only hosts within the specified domain can set a cookie for that domain. Also the domain attribute can not be a top level domain (such as .gov or .com) to prevent against servers being able to set arbitrary cookies for another domain. If domain attribute is not set then the default value of domain is set to the hostname of the server which generated the cookie. For example if a cookie is set by an application at app.mydomain.com with no domain attribute set, then the cookie would be resubmitted for all subsequent requests for app.mydomain.com and its subdomains (such as hacker.app.mydomain.com), but not to otherapp.mydomain.com. If a developer wanted to loosen this restriction then he could set the domain attribute to mydomain.com. In this case the cookie would be sent to all requests for app.mydomain.com, its subdomains such as hacker.app.mydomain.com, and even bank.mydomain.com. If there was a vulnerable server on a subdomain such as (otherapp.mydomain.com) and the domain attribute has been set too loosely (for example mydomain.com), then the vulnerable server could be used to harvest cookies (such as session tokens).
- path - In addition to the domain, the URL path can be specified for which the cookie is valid. If the domain and path match then the cookie will be sent in the request.
Just as with the domain attribute if the path attribute is set too loosely then it could leave the application vulnerable to attack by other applications on the same server. For example if the path attribute was set to the web server root "/" then the application cookies will be sent to every application within the same domain.
- expires - This attribute is used to set persistent cookies, since the cookie does not expire until the set date is exceeded. This persistent cookie will be used by this browser session and subsequent sessions until the cookie expires. Once the expiration date has exceeded the browser will delete the cookie. Alternatively if this attribute is not set then the cookie is only valid in the current browser session and the cookie will be deleted when the session ends.
Black Box testing and example
Testing for cookie attribute vulnerabilities:
Using an intercepting proxy or browser plugin trap all responses where a cookie is set by the application (using the Set-cookie directive) and inspect the cookie for the following:
- Secure Attribute - Whenever a cookie contains sensitive information or is a session token then it should always be passed using an encrypted tunnel. For example after logging into an application and a session token is set using a cookie, then verify it is tagged using the ";secure" flag. If it is not then the browser believes it safe to pass via an unencrypted channel such as using HTTP.
- HttpOnly Attribute - This attribute should always be set even though not every browser supports it. This attribute aides in securing the cookie from being accessed by a client side script so check to see if the ";HttpOnly" tag has been set.
- Domain Attribute - Verify that the domain has not been set too loosely. As noted above it should only be set for the server that needs to receive the cookie. For example if the application resides on server app.mysite.com then it should be set to "; domain=app.mysite.com" and NOT "; domain=.mysite.com" as this would allow other potentially vulnerable servers to receive the cookie.
- Path Attribute - Verify that the path attribute, just as the Domain attribute, has not been set too loosely. Even if the Domain attribute has been configured as tight as possible, if the path is set to the root directory "/" then it can be vulnerable to less secure applications on the same server. For example if the application resides at /myapp/ then verify that the cookies path is set to "; path=/myapp/" and NOT "; path=/" or "; path=/myapp". Notice here that the trailing "/" must be used after myapp. If it is not used the browser will send the cookie to any path that matches "myapp" such as "myapp-exploited".
- Expires Attribute - Verify that if this attribute is set to a time in the future that it does not contain any sensitive information. For example if a cookie is set to "; expires=Fri, 13-Jun-2010 13:45:29 GMT" and it is currently June 10th 2008 then you want to inspect the cookie. If the cookie is a session token that is stored on the user's hard drive then an attacker or local user (such as an admin) who has access to this cookie can access the application by resubmitting this token until the expiration date passes.
- RFC 2965 - HTTP State Management Mechanism -
- RFC 2616 – Hypertext Transfer Protocol – HTTP 1.1 -
- OWASP: Webscarab -
- Dafydd Stuttard: Burp proxy -
- MileSCAN: Paros Proxy -
- "TamperIE" for Internet Explorer -
- Adam Judson: "Tamper Data" for Firefox -