Secure Cookies, are they really secure?

February 4, 2008

Consider the following scenarios:-

Scenario:-1. The cookies in browser are set by application which is accessible over SSL (HTTPS). The same website(same domain) offers some functionality over HTTP, which is vulnerable to Cross Site Scripting (XSS). Can, an attacker obtain his cookies?

Case:-1 Cookies are not marked secure by the application, so the browser sends it to http as well, hence, an attacker can obtain them through XSS

Case:-2 Cookies are marked as secure, so the browser does not send them over HTTP, and hence an attacker can't get them through XSS on HTTP site. This answers the question, asked in the title. Secure cookies, are indeed secure.

Scenario:-2 Cookie is set by website over HTTP(cookies not marked secure). The website over HTTPS is vulnerable to xss. Browser will send cookies to the vulnerable website (over SSL). An attacker can gain all cookies associated with this domain name.

Hope this helps. 

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback