When I started studying about web applications, one of the topics where I spent a hell lot of time was cookies. Once you clearly understand the concept of cookies, I think you are done learning 50% of the basic web application concepts. Yes I said it, because it deals with lot of stuffs like session management which is the basic building block of a web application.
While browsing through various web applications you might have seen this message asking you to set cookies in your browser.
Imagine that you are logged into Facebook. Now you are going to your friend’s (let’s call him Jacob) profile and then sending a message to him. Here HTTP will see basically two requests only. The first request, clicking on your friends profile. Second, you are sending a message. HTTP cannot understand whether these two requests are sent by the same person or different persons. It knows that someone has requested Jacob’s profile and someone is sending Jacob a message. So basically HTTP will be confused by who is the actual sender of the message. But it properly delivers the message into Jacob’s inbox and tell Jacob that you have sent him a message. So there must be an alternate mechanism that tells HTTP that the message is actually sent by you, right? It is cookies who does this job. And let’s name the job as session management.
When you’re logging into Facebook you will be typing your username and password and click the submit button. Immediately your browser will send this information to Facebook server. The server will have a lot of code and a database of all users which contains the username and password. When the server receives this username and password, the code will validate this combination with the data in the database. Once the server understands that the username and password are valid, it will send a response back to the browser saying that the request was ok. When sending this it will also send a key value pair and tell the browser to store it.This key-value pair is called a cookie. The server will also store this value in its database.
Thereafter whenever you send a request to Facebook this cookie will be appended along with the request. The value of your cookie will be unique to you. When Facebook receives this request it will check the cookie and match its value with the value in the database. So that Facebook will start thinking: “ Oh yeah, he has the cookie that I have given him. Well, I can trust him now”. So it can serve you with whatever thing you have requested. If you don’t have the cookie with you, then Facebook will immediately redirect you to the login page.
This cookie will live in your browser until you logout from Facebook. HTTP will be getting thousands of such requests to Facebook. And it can specifically identify you by looking at the cookie value. The time interval between your login and logout is called a session and it is completely controlled by cookie. That is the very basic and I hope it is clear.
Okay, so now you know what is the basic purpose of a cookie. Not now let’s inspect a cookie and understand its metadata. Let us use the New York Times website as an example. To view the cookies of NY Times press F12 so that the web developer toolbar will be fired up. Move ahead to the application tab and there you can see the cookies.
Let’s try to understand each of its attributes.
Those who are trying to understand cookies for the first time might not understand the security specific flags. Explaining it deeply will confuse you even more. Moreover, you don’t need to learn in depth about these flags to understand the basic concept. I will write an article about these 3 flags soon in detail.
Enough theories! Let’s go ahead and bite some cookies. For the demo purpose let’s use the website http://demo.horde.org. Before you click submit let’s install an extension to our browser which can view and edit Cookies. If you are using Chrome browser you can use Edit This Cookie and if you are of Firefox you can install Cookie Editor. I will be using Chrome for the Demo.
Open a new tab and press F12, so that web developer toolbar will show up. Move on to the Applications tab and click open the Cookies from the left sidebar of the tool window. The window will show empty because we haven’t loaded any website yet. Now paste http://demo.horde.org into the url bar, hit Enter and watch the cookies showing up.
Let’s concentrate on the value of each cookie. This website has a login form. You can use demo/demo as username and password and Choose English as language and hit Enter. Now that we have logged in. Have a look at the cookie tab again. The value of HordeDemo is changed.
What happened here? Once the login was success, the horde.org server send this new value of cookie to us. This will be stored in the browser as such unless you logout from the application. You can try logging out from the application if you want to see it yourselves. Anyway, now I am logged in the application. I have a dashboard. I can click on any links, use the application as I wish. Whatever I do, the value of HordeDemo will remain unchanged. Because that is the only identifier that the web server can use to differentiate me from other users. What will happen if I edit the value of that cookie?
Let’s go ahead and do that. You have installed the EditThisCookie extension right? You can see its icon on Chrome’s toolbar. Move on to the http://demo.horde.org and fire up the extension. You can see all the cookies of this website there. (When you click the extension button make sure that you are not in this website. Then you will only be able to see the cookies of https://wst.space. )
Choose HordeDemo cookie and edit the value to anything you like. And then click the Green tick icon at the bottom to save the changes. So, we have changed the value of the cookie. Let’s try to browse the application now. No wonder 🙂 You got logged out. You know why this happened, don’t you? Yes, demo.horde.org couldn’t verify the value of HordeDemo that you have sent. Because, the server has a different value stored in its database. So it cannot verify your identity and it will ask you to login again. Quite obvious!
So far, we have learned only one type of cookie, that is the Session Cookie. There are several other uses for cookies. For example, if you have searched for branded Nike shoes from amazon.com, the very next day when you read some online newspaper you will be served with an advertisement saying that the Nike shoe is now available at a reduced price. How does this happen? It is also cookie activity. I will discuss that deeply in the next part of this series.
What is this web security checklist? Here is a curated web security checklist for developers… Read More
In the last part of the blog series we have seen the history of internet… Read More
Welcome back budding pen-testers. :) In the first part of the blog series we have… Read More