Introduction
In this article, we are going to learn about Cookie or HTTP injection. It is known by different names such as web cookie or browser cookie. Before we get into the subject matter I want to make something clear, there is no such thing as a bad cookie.
So to get us on the way let us first talk about a cookie.
What is a cookie?
Most generally if you have used a login form or any form of registration online before, you must remember this link that reads 'Remember me' or anything similar. What this link does is very simple, it sends state information to a user's browser and for the browser to return the state information to the origin site. State information may be used for authentication, identification of a user session, user's preferences, shopping cart, or anything thing else the website may require.
However, users must know that this little piece of information may be used to be unsuspected attackers as spyware to track user's browsing activities with intentions to access the victim's web account.
How does it work?
In most cases if you are a frequentweb user you might remember ticking a checkbox that reads,
"Remember me on this computer,"
So what happens behind the scene is that the website will generate a cookie that will store all the information that you will have supplied, it will be stored in that cookie such that the next time you log in you will not need to supply that information again. This may include username, password, or user preferences. So the next time you log in you will not be required to supply this information again because it has been stored in a 'Cookie'.
Cookies are not malicious in any way and they are not software, they cannot install malware on the host computer and cannot be a virus. However, they can be used by attackers as spyware to track users’ activities which is a cause for concern. Cookies can also be stolen by hackers to have access to a victim's account.
If you visit most web pages today they will give you a notification to 'Allow' or 'Disallow' cookies.
The following is a Google Chrome snippet on how to manage cookies,
Clear all cookies
If you remove cookies, you'll be signed out of websites and your saved preferences could be deleted.
- On your computer, open Chrome.
- At the top right, click More Settings.
- Under "Privacy and security," click Cookies and other site data.
- Click See all cookies and site data Remove all.
- Confirm by clicking Clear all.
From the above information, we learn that cookies are stored by browsers and now let us look at how they can be used maliciously to attack the user.
Cookie Injection
Cookie variables can be used to attack users on the web. Attackers may need to access a user's account and they may use cookies to achieve their goals. Cookies in the first place are not meant to be handled as user input. On the other hand, cookies may contain data that is encoded in hexadecimal, hashes, serialization information, or plain data. In the following example, we will use SQL commands to inject the cookies.
- function is_employee($employee) {
- global $prefix, $db, $employee_prefix;
- if (!is_array($employee)) {
- $employee = base64_decode($employee);
- $employee = explode(“: ”, $employee);
- $employeeid = “$user[0]”;
- $passwd = “$employee[2]”;
- } else {
- $employeeid = “$employee[0]”;
- $passwd = “$user[2]”;
- }
- if ($employeeid != “”AND $passwd != “”) {
- $sql = “SELECT employee_password FROM“.$employee_prefix.”_employee WHERE employee_id = ’$employeeid '”;
- $result = $db - > sql_query($sql);
- $row = $db - > sql_fetchrow($result);
- $passwd = $row[employee_password];
- if ($pass == $passwd && $pass != “”) {
- return 1;
- }
- }
- return 0;
- }
The above code contains an unknown field and a password. Using a cookie abcde ‘Union Select’ pwd ‘:: pwd in base64 becomes:
- SELECT employee_password FROM company_employees WHERE employee_id='abcde' UNION SELECT 'pwd'
The query will let the attacker use the provided password and it becomes an unauthorized entry into a system. Given that many HTTP interceptors can be used before this is sent to the server, the attacker may add his malicious SQL statement in the cookie filed. In this case, the attacker cannot use special characters but they certainly make use of the HTTP Get/Post SQL injection to get the password from the website or web application, everything the attacker has to use has to be URL encoded.
Conclusion
Just like any form of injection cookie variables need to be validated before being used in SQL queries. Once they are used without proper validation this can cause a lot of damage to unsuspecting users and may result in loss of integrity and confidentiality.