[Owasp-testing] Copy Cookies

Stephen de Vries stephen at twisteddelight.org
Thu Jul 22 03:46:46 EDT 2010


On Jul 22, 2010, at 5:03 AM, Zaki Akhmad wrote:
> 
> I found the web application that I test is vulnerable with its
> cookies. After I successfully login with userid and password provided,
> I can copy the cookies to another browser/computer so that he/she can
> enter the web application without login.
> 
> How do I fix this vulnerability?

I wouldn't really call this a vulnerability, it's how 99% of the web applications on the internet work.  After login, the session ID is stored in a cookie which is then used as the only authentication token from that point onwards.  Security controls are usually then built around preventing access to the cookie, so make sure the app doesn't have XSS vulnerabilities, the cookie is transferred only over HTTPS and has the httponly and "secure" flags set.


Stephen


More information about the Owasp-testing mailing list