Cookie Security Attributes
Previously we discussed pentesting cookie-based session implementations where we covered how to identify session tokens and understand how they protect web applications.
To continue on this topic, we’ll now review some of the characteristics of cookies flags and what they mean for an application penetration test.
What are cookie flags?
When a cookie is set via HTTP response headers, it may contain a number of flags that instruct the browser how it should be protected. These are simple text fields separated by a semicolon appended to the cookie value. For example, below is a response setting three flags:
HTTP/1.1 200 Set-Cookie: JSessionID=ABDEF001234ABDEF00123; path=/; HttpOnly; Secure
Here the application sets the flags
What do flags mean for a penetration test?
A penetration test takes a close look at cookie security attributes. After all, they have a wide range of characteristics and a big impact on how well your application can protect users.
Below is a chart with each flag and its behavior:
|path||In a similar fashion to
|SameSite||The SameSite cookie was created as an attempt to reduce the exploitability of CSRF attacks. The SameSite value may be
Remember that there are two ways cookies are set:
Via the HTTP response header
Set-Cookie. Below shows an example:
HTTP/1.1 200 OK [..] Set-Cookie: ASP.NET_SessionId=wiv2oqhrs2u3puhzxetyg21s; path=/; HttpOnly; SameSite=Lax
document.cookie object, cookies can be set “manually” without the use of response headers.
document.cookie = "user=Alice";
How can I view cookie attributes?
As a pentester, using a proxy such as Burp is the most practical way to identify vulnerabilities related to cookie attributes. In your proxy logs, Burp will highlight when cookies are set:
If you’re a developer, using a browser developer console is also an easy way to observe an application’s cookie along with their attributes. In a browser debugger, you can hit
F12 -> Application -> Cookies to see and modify application cookies:
Now that we’ve covered cookies, let’s move on to reviewing cache controls.