

Hackers Think Cookies Are Tasty, Too - ainsleyb
http://blog.tinfoilsecurity.com/hackers-think-cookies-are-tasty-too

======
cheald
But...in order to properly execute an XSS attack, you have to get your code
onto _someone else's_ computer. You can edit your own cookies all day long and
accomplish nothing of value. What piece am I missing here?

That said, as far as the server trusting cookie values to do database lookups
or whatever, sure, there's a hole there. Most folks will use something like
HMAC-signed cookies in those cases, so that an attacker would have to be in
possession of a secret key in order to successfully have altered cookie data
accepted by the user. But in any case, the data should be treated like any
other user-supplied data - untrusted and to be sanitized.

~~~
ultimoo
Yes, I think what the original article is saying is that the cookie could have
been altered by a rogue browser extension/virus on a user's computer, which
could be then potentially used to import a script from a different origin into
the user's page.

~~~
cheald
If I have my malware on your computer, I'm just going to use it to steal your
cookie (any other sensitive information) directly rather than perform some
convoluted roundabout XSS. :P

~~~
brodney
If you wanted to access a company's server, this actually sounds like a
reasonable attack vector. Get malware on someone's computer and use it to
perform SQL injections. It depends on what information the attacker is after.

------
ultimoo
Isn't it a widely adopted practice to encrypt the content of the cookie before
setting it? Of course it could still be tampered with, but not as trivially.

~~~
bensedat
Frameworks like Rails or Django offer options to encrypt or sign session
cookies, but any other cookies are often left up to the developer to take care
of. The HttpOnly and Secure flags are important to remember as well because
otherwise a man-in-the-middle or rogue JS can modify them.

------
Oduig
Isn't XSS only a client side danger? For URLs, this is relevant since you can
post a malicious link and people can click on it. It's much harder to get
someone else's browser to accept a cookie you made for a specific website.

Of course, cookies are still client-side data and should not be trusted. But
XSS is not a problem here. Correct me if I'm wrong.

~~~
trebor
Not if your server environment is running Node.js! If you start reading
cookies and potentially evaluating their content, this could have a major
impact on a Node process. That said, I doubt that you could hack a running
Node process with this without the system using eval() on the cookie contents.
I've been wrong before....

------
jtokoph
I think cookie values are more of a risk for SQL injection or RCE than XSS. If
the code that builds the session lookup query or cookie parsing code isn't
safe, you're gonna have a problem.

