Unit4sec
Web Application Security: Cookie Properties
Ahmet Can Karaağaçlı
Table of Contents
Contents
01.
Introduction
02.
Expire
03.
Path
04.
Domain
05.
Httponly & Secure Flag
06.
Samesite
unit4sec.com | Cookie Properties
01
INTRODUCTION
In my previous blog, I talked about CORS and SOP concepts and explained how cookies work. I also mentioned the cookie mechanism in earlier posts related to web browsers. In this blog, I'll start by summarizing some details about cookies based on RFC-6265. Then, I'll note down some simple explanations about security headers that we encounter while testing web applications.
The cookie features we aim to discuss in this article are:
Cookies help manage user sessions and application states in web apps. They act like small databases stored by servers in browsers. They verify our identity with every request sent. They have certain settings that control how they work on the user's side.
Let's talk about these settings in simple terms. Every cookie has a name, which we're familiar with using the 'name' parameter. For example, sessionid=6161...
unit4sec.com | Cookie Properties
02
Expire
Suppose we log into an application. Depending on the session setup, it will expire after some time. (The server configures this, but the browser's stored cookie info can be deleted to show this to the user.) There's a cookie feature called 'expire' that decides when the browser should delete this cookie info.
We can set the 'Expire' value as follows:
Set-Cookie: <cookie-name>=<cookie-value>; Expires=<date>
Example: Set-Cookie: id=xx; Expires=Fri, 5 Oct 2021 11:10:00 GMT;
Similarly, 'max-age' can be used to specify the lifespan of a cookie. In the 'max-age' format, the time duration for which the cookie should persist is stated in seconds.
Set-Cookie: <cookie-name>=<cookie-value>; max-age=<seconds>
Example: Set-Cookie: id=xx; Expires=max-age=61
When both 'Expire' and 'max-age' are set, in modern browsers, 'max-age' will override 'Expire' since the 'Expire' feature has been deprecated in favor of 'max-age'.
"
Implementing proper expiration settings for cookies is particularly vital in enhancing the security of a web application, ensuring sensitive data isn't retained longer than necessary.
unit4sec.com | Cookie Properties
03
path
Secondly, the 'path' parameter. Depending on the application's design, you might want to develop different web applications within different directories and set different cookies in these directories. In this case, as a developer, the 'path' parameter will be useful.
Let's imagine you've created two separate applications, such as example.com/app1 and example.com/app2, under the same domain but in different directories. If you set the 'path' value as /app1 for a cookie, it will be transmitted with requests made to all directories under /app1/.../.
Set-Cookie: <cookie-name>=<cookie-value>; path=/<path>
Example: Set-Cookie: id=xx; Expires=max-age=61; path=/app1
Speaking of different applications, let's say we've created our applications not in directories but as subdomains. We want to set different cookies for app1.example.com and app2.example.com. In this case, the cookie attribute we'd use is 'domain.'
unit4sec.com | Cookie Properties
04
domain
Speaking of different applications, let's assume we've created our applications not in directories but as subdomains. We want to set different cookies for app1.example.com and app2.example.com. In this case, the cookie attribute we'd use is 'domain.'
Set-Cookie: <cookie-name>=<cookie-value>; domain=<domain>
Example: Set-Cookie: id=xx; Expires=max-age=61; domain=app1.example.com
Considering the example above, it's important to note that with the mentioned example, the cookie information will be transmitted with requests to all subdomains of app1.example.com.
unit4sec.com | Cookie Properties
05
httponly & Secure Flag
Some Security Flags Problem
Another feature I'd like to discuss relates more to web application security, involving attributes that can help prevent certain web application attacks.
During penetration testing or other web application security checks, one common issue we encounter by default is communicating over an insecure connection, i.e., using HTTP. In case a request is sent over unencrypted HTTP, there's a security feature we can use to prevent someone intercepting the network from hijacking the session cookie, and that's the 'secure' attribute.
Secure Flag
In short, if the 'secure' attribute is marked for a cookie in your server settings, the browser will only transmit that particular cookie in HTTPS requests. If the request is made over HTTP, the browser will withhold sending this cookie to the site.
"
The 'Secure' flag option plays a critical role in bolstering the security of a web application by restricting cookie transmission to secure HTTPS connections only, mitigating the risk of interception and unauthorized access to sensitive information
unit4sec.com | Cookie Properties
06
Httponly
Additionally, one of the most effective features, in my opinion, is the 'httponly' attribute. One of the situations where XSS attacks have the highest impact is in account takeover scenarios. The nature of this vulnerability involves running JavaScript on the client side. JavaScript access means access to cookies (document.cookie), the ability to send requests via AJAX, and if no additional security measures are taken for session management (such as IP-based controls, etc.), it could result in seizing control of the victim's account using the obtained cookie information.
With the 'httponly' attribute, the browser prevents JavaScript from accessing the cookie information marked as 'httponly'. This way, even if there's an XSS vulnerability in the application, it stops the reading and consequently theft of cookie data.
unit4sec.com | Cookie Properties
07
Samesite
Another common weakness in web application security is CSRF (Cross-Site Request Forgery). In one of the previous articles, we briefly discussed how browsers access cookie information while forwarding requests. Although, according to the Same Origin Policy, JavaScript from Site A cannot access cookies from Site B, when you submit a form on Site A, the request sent to Site B will include the cookie information belonging to Site B fetched from the browser
Let's imagine browsing a site like malicious.com. This site contains a form that, when clicked on any link or button, sends a request to bank.com. Consider that this request triggers a sensitive function on bank.com, such as a money transfer function. When the browser sends a request to bank.com, if that site's cookie information is stored in the browser, it includes that cookie information in the request being sent. Consequently, an authenticated request goes to that site. However, you didn't intend to send this request, hence the term used for this attack: cross-site request forgery (CSRF), a form of inter-site request forgery.
unit4sec.com | Cookie Properties
08
At this point, alongside CSRF tokens, checking the origin/referer header, and other methods to prevent CSRF vulnerabilities, the 'SameSite' attribute comes into play. A cookie marked as 'SameSite' blocks requests/forms transmitted through the browser if they don't originate from the relevant domain. The 'SameSite' attribute for a cookie can be used with three different parameters:
In modern browsers, the 'SameSite' attribute may be automatically added by default. It's advisable to ensure the server has set this attribute by testing with different browsers.
References
unit4sec.com | Cookie Properties
09