Recipe 8-2: Detecting Cookie Tampering
This recipe shows you how to identify when attackers attempt to change cookie data.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_40_appsensor_detection_point_2.3_session_exception.conf
- ModSecurity
- RESPONSE_HEADERS:Set-Cookie variable
- REQUEST_HEADERS:Cookie variable
- setsid action
- setvar action
Because applications take data submitted by clients within Cookie fields and act upon them, they become a ripe target for attackers. Cookie data may tell the application who you are, whether you have authenticated successfully, or what your role is within the application. Malicious users attempt to circumvent this logic by manipulating cookies to try to gain unauthorized access to data.
Sample Cookie-Based SQL Injection Attack
As an example, let’s look at the following dZemo bank login transaction:
POST /bank/login.aspx HTTP/1.1 Host: demo.testfire.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*; q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Proxy-Connection: keep-alive Referer: http://demo.testfire.net/bank/login.aspx Content-Type: application/x-www-form-urlencoded Content-Length: 42 Uid=bsmith&passw=Pa$$wd123&btnSubmit=Login HTTP/1.1 302 Found X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: /bank/main.aspx Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: ...Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
