Update cookie-tossing.md

This commit is contained in:
Ruby Perez 2024-04-03 16:33:05 -04:00 committed by GitHub
parent c412e06585
commit f8739577fd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -28,7 +28,7 @@ This can be dangerous as the attacker may be able to:
* **Fixate the cookie of the victim to the attacker's account** so if the user doesn't notice, **he will perform the actions in the attacker's account** and the attacker may obtain some interesting information (check the history of the searches of the user in the platform, the victim may set his credit card in the account...) * **Fixate the cookie of the victim to the attacker's account** so if the user doesn't notice, **he will perform the actions in the attacker's account** and the attacker may obtain some interesting information (check the history of the searches of the user in the platform, the victim may set his credit card in the account...)
* If the **cookie doesn't change after login**, the attacker may just **fixate a cookie (session-fixation)**, wait until the victim logs in and then **use that cookie to log in as the victim**. * If the **cookie doesn't change after login**, the attacker may just **fixate a cookie (session-fixation)**, wait until the victim logs in and then **use that cookie to log in as the victim**.
* Sometimes, even if the session cookies changes, the attacker use the previous one and he willr receive the new one also. * Sometimes, even if the session cookies changes, the attacker use the previous one and he will receive the new one also.
* If the **cookie is setting some initial value** (like in flask where the **cookie** may **set** the **CSRF token** of the session and this value will be maintained after the victim logs in), the **attacker may set this known value and then abuse it** (in that scenario, the attacker may then make the user perform a CSRF request as he knows the CSRF token). * If the **cookie is setting some initial value** (like in flask where the **cookie** may **set** the **CSRF token** of the session and this value will be maintained after the victim logs in), the **attacker may set this known value and then abuse it** (in that scenario, the attacker may then make the user perform a CSRF request as he knows the CSRF token).
* Just like setting the value, the attacker could also get an unauthenticated cookie generated by the server, get the CSRF token from it and use it. * Just like setting the value, the attacker could also get an unauthenticated cookie generated by the server, get the CSRF token from it and use it.