How To Prevent Cookie Injection Attack On Your Web Applications

Cookies are messages that a web servers sends to the web browser when visited the Internet sites. Cookies are basically used to track website activities. While visiting a visit site, the server gives a cookie that acts as an identification card. On requesting for another page on the same site, the browser passes that cookie back to the server. In this way, a web server can collect information about which web pages are mostly used by the user.

Attack: Now the information gathered from these cookies can be read only by the particular website that creates those cookies. So in short other servers do not have access to these cookies. However cookies can be stolen by hackers and be used to get unauthorized access to critical data. This can be done using SQL injection or Cross site scripting.

If cookies are in the form of clear text, hexadecimal, base64, hashes, serialized information, hackers can easily determine and decode the same and inject SQL queries.

The solution to prevent such cookie injection is similar to the solution given for session vulnerabilities (mentioned in the above link). In addition to the given solution, another important way through which cookie injection attack can be prevented is:

  • Conducting pure sanitization and validation on the server side. Any unknown action observed by the server must not be entertained. And the server must be smart enough to understand the abnormality in a request.
  • Place the cookies on the header for better security.
  • Randomize the token which is part of the cookie and make it unpredictable.

Check this link to know more on the session vulnerabilities:
Session Vulnerabilities in Web Application