College of Information Technology Lecturer: Dr. Hassan H.

Alrehamy
Department of Information Security Year(III)-Term(I)-Lecture(#5)

Client side vulnerabilities

We often hear about vulnerabilities in client software, such as web browsers and
email applications that can be exploited by malicious agents. The repeated stories
about botnets, infected web sites, and viruses which infect us with malicious content
have ingrained the concept of an exploitable client in our minds. Unfortunately,
client software can also be targeted with attacks from compromised servers accessed
by the clients. One important aspect in such attacks is HTTP Cookie
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server
sends to a user's web browser. The browser may store the cookie and send it back
to the same server with later requests. Typically, an HTTP cookie is used to tell if
two requests come from the same browser—keeping a user logged in, for example.
It remembers stateful information for the stateless HTTP protocol.

Cookies purposes
 Session management: Logins, shopping carts, game scores, or anything else
the server should remember.

 Personalization: User preferences, themes, and other settings.

 Tracking: Recording and analyzing user behavior.

Cookies were once used for general client-side storage. While this made sense when
they were the only way to store data on the client, modern storage APIs are now
recommended. Cookies are sent with every request, so they can worsen performance
(especially for mobile data connections).
After receiving an HTTP request, a server can send one or more Cookies with the
response. The browser usually stores the cookie and sends it with requests made to
the same server inside a Cookie HTTP header. It is possible to specify an expiration
date or time period after which the cookie shouldn't be sent. It is also possible to set
additional restrictions to a specific domain and path to limit where the cookie is sent

1
 College of Information Technology Lecturer: Dr. Hassan H. Alrehamy
Department of Information Security Year(III)-Term(I)-Lecture(#5)

Cookie Security
When a web application stores information in cookies, it must be kept in mind that
all cookie values are visible to, and can be changed by, the end user. Depending on
the application, you may want to use an opaque identifier that the server looks up,
or investigate alternative authentication/confidentiality mechanisms such as ( Web
Tokens). A cookie is associated with a domain. If this domain is the same as the
domain of the page you're on, the cookie is called a first-party cookie. If the domain
is different, it's a third-party cookie. While the server hosting a web page sets first-
party cookies, the page may contain images or other components stored on servers
in other domains (for example, ad banners) that may set third-party cookies. These
are mainly used for advertising and tracking across the web. For example, the types
of cookies used by Google. A third-party server can create a profile of a user's
browsing history and habits based on cookies sent to it by the same browser when
accessing multiple sites. Firefox, by default, blocks third-party cookies that are
known to contain trackers. Third-party cookies (or just tracking cookies) may also
be blocked by other browser settings or extensions. Cookie blocking can cause some
third-party components (such as social media widgets) not to function as intended.
Depending on the programming language of a web application, a cookie can be
easily created as a set of key-value pairs. For example to create a cookie in ASP.Net
application:
HttpCookie userInfo = new HttpCookie("userInfo");
userInfo["UserName"] = "Alrehamy";
userInfo["UserLoc"] = "Iraq";
userInfo.Expires.Add(new TimeSpan(0, 1, 0));
Response.Cookies.Add(userInfo);
Or even:
Response.Cookies["userName"].Value = "Alrehamy";
Response.Cookies["userLocr"].Value = "Iraq";

 Cookie is a text-based file stored on the client machine. This file is usually located on "C:\Document and
Settings\Currently_Login user\Cookie" path.
 We need to import namespace called Systen.Web.HttpCookie before we use cookie.

2
 College of Information Technology Lecturer: Dr. Hassan H. Alrehamy
Department of Information Security Year(III)-Term(I)-Lecture(#5)

To read cookie information from a client browser:

HttpCookie reqCookies = Request.Cookies["userInfo"];
if (reqCookies != null)
{
User_name = reqCookies["UserName"].ToString();
User_color = reqCookies["UserLoc"].ToString();
}

As indicated earlier, cookies are important for cyberattacks, especially when

targeting users with important login information (e.g. administrators). The most
famous attack on cookies is known as Session Hijacking.
Session hijacking is the exploitation of a valid computer session, sometimes also
called a session key, to gain unauthorized access to information or services in a
computer system. In particular, it is used to refer to the theft of a magic cookie used
to authenticate a user to a remote server. It has particular relevance to web
developers, as the HTTP cookies used to maintain a Session on many web sites can
be easily stolen by an attacker using an intermediary computer or with access to the
saved cookies on the victim's computer.
ASP.NET session state is Microsoft’s technology that lets us store server-side, user-
specific data. A session state of a user is identified by a Session ID, which is called:
ASP.NET_SessionId
When the user requests a web page for the first time, the server will create a unique
read-only string token (24 character string) as Session id and append it the
request/response header. This will be used by the server each time to identify the
user sending the request. This Session ID will expire when the user closes the
browser. If the Session ID is embedded in the URL then this technique is also known
as a cookie-less session.
Consider when a user named "User 1" sends a request to server, the first time a new
ASP.NET Session Cookie will be generated by the server and sent back to "User 1"
through the Response Header. The same Cookie will then be updated in the Request
Header and sent back to the server for each and every request. Based on this Session
Cookie, the server can identify each and every request sent by "User 1". If the user
is accessing the same web page or application from two different browsers or
separate instances of the same browser then the session cookies generated will be

3
College of Information Technology Lecturer: Dr. Hassan H. Alrehamy
Department of Information Security Year(III)-Term(I)-Lecture(#5)

different for each one. If you are using a single browser with multiple tabs then all
the tabs share the same Session Cookie. Now a hacker or attacker gets in and steals
the Cookie of "Browser 1" and updates the "Browser 2" Cookie. All the Session
information of "Browser 1" will be copied to "Browser 2". This can easily be done
by freely available tools or browser plugins like Modify Headers, Burp or Fiddler
etc.
Cookie-related Law Regulations
Legislation or regulations that cover the use of cookies include:
 The General Data Privacy Regulation (GDPR) in the European Union
 The ePrivacy Directive in the EU
 The California Consumer Privacy Act
These regulations have global reach. They apply to any site on the World Wide Web
that users from these jurisdictions access. These regulations include requirements
such as:
 Notifying users that your site uses cookies.
 Allowing users to opt out of receiving some or all cookies.
 Allowing users to use the bulk of your service without receiving cookies.
There may be other regulations that govern the use of cookies in your locality. The
burden is on you to know and comply with these regulations.