CAPEC-31 Detail

CAPEC-31

Name

Accessing/Intercepting/Modifying HTTP Cookies

Likihood attacks

High

Typical Severity

High

Status

Draft

Published

2014-06-23
00h00 +00:00

Modified

2022-09-29
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.

Informations CAPEC

Execution Flow

1) Explore

[Obtain copy of cookie] The adversary first needs to obtain a copy of the cookie. The adversary may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies.

Technique

Sniff cookie using a network sniffer such as Wireshark
Obtain cookie using a utility such as the Firefox Cookie Manager, Chrome DevTools or AnEC Cookie Editor.
Steal cookie via a cross-site scripting attack.
Guess cookie contents if it contains predictable information.

2) Experiment

[Obtain sensitive information from cookie] The adversary may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them.

Technique

If cookie shows any signs of being encoded using a standard scheme such as base64, decode it.
Analyze the cookie's contents to determine whether it contains any sensitive information.

3) Experiment

[Modify cookie to subvert security controls.] The adversary may be able to modify or replace cookies to bypass security controls in the application.

Technique

Modify logical parts of cookie and send it back to server to observe the effects.
Modify numeric parts of cookie arithmetically and send it back to server to observe the effects.
Modify cookie bitwise and send it back to server to observe the effects.
Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a "points balance" for a given user where the points have some value. The user may spend their points and then replace their cookie with an older one to restore their balance.

Prerequisites

Target server software must be a HTTP daemon that relies on cookies.
The cookies must contain sensitive information.
The adversary must be able to make HTTP requests to the server, and the cookie must be contained in the reply.

Skills Required

To overwrite session cookie data, and submit targeted attacks via HTTP
Exploiting a remote buffer overflow generated by attack

Resources Required

A utility that allows for the viewing and modification of cookies. Many modern web browsers support this behavior.

Mitigations

Design: Use input validation for cookies
Design: Generate and validate MAC for cookies
Implementation: Use SSL/TLS to protect cookie in transit
Implementation: Ensure the web server implements all relevant security patches, many exploitable buffer overflows are fixed in patches issued for the software.

Related Weaknesses

CWE-ID	Weakness Name
CWE-565	Reliance on Cookies without Validation and Integrity Checking The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.
CWE-302	Authentication Bypass by Assumed-Immutable Data The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
CWE-311	Missing Encryption of Sensitive Data The product does not encrypt sensitive or critical information before storage or transmission.
CWE-113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CWE-539	Use of Persistent Cookies Containing Sensitive Information The web application uses persistent cookies, but the cookies contain sensitive information.
CWE-20	Improper Input Validation The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-315	Cleartext Storage of Sensitive Information in a Cookie The product stores sensitive information in cleartext in a cookie.
CWE-384	Session Fixation Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
CWE-472	External Control of Assumed-Immutable Web Parameter The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
CWE-602	Client-Side Enforcement of Server-Side Security The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
CWE-642	External Control of Critical State Data The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

References

REF-1

Exploiting Software: How to Break Code
G. Hoglund, G. McGraw.

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2017-01-09 +00:00	Updated Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2017-08-04 +00:00	Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Payload_Activation_Impact, Resources_Required
CAPEC Content Team	The MITRE Corporation	2019-09-30 +00:00	Updated Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Execution_Flow, Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2020-12-17 +00:00	Updated Execution_Flow, Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2021-06-24 +00:00	Updated Example_Instances, Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2022-09-29 +00:00	Updated Taxonomy_Mappings