This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
Description
Attack Execution Flow
3
1
Step 1
Explore[Obtain copy of cookie] The adversary first needs to obtain a copy of the cookie. The adversary may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies.
Sniff cookie using a network sniffer such as Wireshark
Obtain cookie using a utility such as the Firefox Cookie Manager, Chrome DevTools or AnEC Cookie Editor.
Steal cookie via a cross-site scripting attack.
Guess cookie contents if it contains predictable information.
AI Translation
[Ottenere una copia del cookie] L'attaccante deve prima ottenere una copia del cookie. L'attaccante potrebbe essere un utente legittimo che desidera aumentare i privilegi, oppure qualcuno che effettua sniffing sulla rete per ottenere una copia dei cookie HTTP.
Sniffare il cookie utilizzando un sniffer di rete come Wireshark
Ottenere il cookie utilizzando un'utilità come il Firefox Cookie Manager, Chrome DevTools o AnEC Cookie Editor.
Rubare il cookie tramite un attacco di cross-site scripting.
Indovinare il contenuto del cookie se contiene informazioni prevedibili.
Attack Techniques
-
Guess cookie contents if it contains predictable information.
-
Steal cookie via a cross-site scripting attack.IT: Indovina il contenuto del cookie se contiene informazioni prevedibili.
-
Sniff cookie using a network sniffer such as WiresharkIT: Indovina il contenuto del cookie se contiene informazioni prevedibili.
-
Obtain cookie using a utility such as the Firefox Cookie Manager, Chrome DevTools or AnEC Cookie Editor.IT: Indovina il contenuto del cookie se contiene informazioni prevedibili.
2
Step 2
Experiment[Obtain sensitive information from cookie] The adversary may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them.
If cookie shows any signs of being encoded using a standard scheme such as base64, decode it.
Analyze the cookie's contents to determine whether it contains any sensitive information.
AI Translation
[Ottenere informazioni sensibili dal cookie] L'attaccante potrebbe essere in grado di ottenere informazioni sensibili dal cookie. Gli sviluppatori dell'applicazione web potrebbero aver presumibilmente che i cookie non siano accessibili dagli utenti finali e, quindi, aver inserito potenzialmente informazioni sensibili al loro interno.
Se il cookie mostra segni di essere codificato utilizzando uno schema standard come base64, decodificalo.
Analizza il contenuto del cookie per determinare se contiene informazioni sensibili.
Attack Techniques
-
Analyze the cookie's contents to determine whether it contains any sensitive information.
-
If cookie shows any signs of being encoded using a standard scheme such as base64, decode it.IT: Analizza il contenuto del cookie per determinare se contiene informazioni sensibili.
3
Step 3
Experiment[Modify cookie to subvert security controls.] The adversary may be able to modify or replace cookies to bypass security controls in the application.
Modify logical parts of cookie and send it back to server to observe the effects.
Modify numeric parts of cookie arithmetically and send it back to server to observe the effects.
Modify cookie bitwise and send it back to server to observe the effects.
Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a 'points balance' for a given user where the points have some value. The user may spend their points and then replace their cookie with an older one to restore their balance.
AI Translation
[Modificare i cookie per eludere i controlli di sicurezza.] L'adversario potrebbe essere in grado di modificare o sostituire i cookie per bypassare i controlli di sicurezza nell'applicazione.
Modificare le parti logiche del cookie e reinviarlo al server per osservare gli effetti.
Modificare le parti numeriche del cookie aritmeticamente e reinviarlo al server per osservare gli effetti.
Modificare il cookie bitwise e reinviarlo al server per osservare gli effetti.
Sostituire il cookie con un cookie legittimo più vecchio e reinviarlo al server per osservare gli effetti. Questa tecnica sarebbe utile nei casi in cui il cookie contiene un "saldo punti" per un determinato utente, dove i punti hanno un certo valore. L'utente può spendere i propri punti e poi sostituire il cookie con uno più vecchio per ripristinare il saldo.
Attack Techniques
-
Modify numeric parts of cookie arithmetically and send it back to server to observe the effects.
-
Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a "points balance" for a given user where the points have some value. The user may spend their points and then replace their cookie with an older one to restore their balance.IT: Modifica le parti numeriche del cookie in modo aritmetico e invialo nuovamente al server per osservare gli effetti.
-
Modify logical parts of cookie and send it back to server to observe the effects.IT: Modifica le parti numeriche del cookie in modo aritmetico e invialo nuovamente al server per osservare gli effetti.
-
Modify cookie bitwise and send it back to server to observe the effects.IT: Modifica le parti numeriche del cookie in modo aritmetico e invialo nuovamente al server per osservare gli effetti.
Mitigations
4
Design: Generate And Validate Mac For Cookies
Design: Use Input Validation For Cookies
Implementation: Ensure The Web Server Implements All Relevant Security Patches, Many Exploitable Buffer Overflows Are Fixed In Patches Issued For The Software.
Implementation: Use Ssl/Tls To Protect Cookie In Transit
Consequences
Security Scopes Affected
Access Control
Authorization
Confidentiality
Integrity
Potential Impacts
Gain Privileges
Modify Data
Read Data
Relationships
Related ATT&CK Techniques
1
T1539
Steal Web Session Cookie
An adversary may steal web application or service session cookies and use them to gain access to web applications or …
Resources Required
1
A utility that allows for the viewing and modification of cookies. Many modern web browsers support this behavior.