Cyber Security Management – HTTP COOKIE WEAKNESS, ATTACK METHODS AND DEFENCE MECHANISMS
Abstract
On the internet, HTTP cookies are a commonly utilised approach. Numerous significant data breaches have shown that a range of attack techniques can interfere with cookies. It was inevitable to find out about cookies’ shortcomings. ICT experts have identified a number of cookies’ flaws and vulnerabilities. The draught upon which the cookie protocol is based was signed almost twenty years ago. Through a thorough assessment of the literature, this study identified cookie vulnerabilities, attack strategies that take advantage of them, and defence strategies to lessen the impact of the attacks. A review and rating of the literature on cookie specifications, attack techniques, and defence techniques was conducted.
Based on existing research, cookies and sending protocols contain flaws and vulnerabilities that hackers can take use of. The study highlighted cookies’ lack of integrity and secrecy. To increase the success percentage, the cookie protocol should be modified. In their current state, cookies are susceptible to TCP/IP hijacking, session fixation, cross-site scripting, cross-site request forgery, poisoning, hijacking, and manipulation. There should be a range of defence strategies employed to lessen the attacks.
Keywords: cross-site request forgery, HTTP cookie, cross-site scripting, vulnerability, session fixation, TCP/IP hijacking
Table of Contents
4.2 Attack Types and Defense Methods
4.3 HTTP Cookie Confidentiality
1 Introduction
The majority of Internet services have ads. Advertisements fund services. According to PwC Advisory Services, US advertising revenues were $59,6 billion in 2015. Year after year, advertising revenue climbs rapidly. Paid ads are “online advertising.” Advertisements enable free website and app access. Interest-based advertising targets users’ preferences. Businesses can push items and services to users based on their needs. Advertisers must profile and track users to customise ads. (2017, Hassan & Hijazi, p. 9.)
Most Internet providers advertise. Ads fund some services. For instance, PwC Advisory Services estimates 2015 US advertising revenues at $59,6 billion. Advertising revenue rises rapidly annually. Such advertising is called “online advertising.” Web apps and websites are free thanks to adverts. Interest-based advertising targets users’ preferences. This lets companies market directly to consumers based on their needs. Advertisers must track and profile users to personalise adverts. Hassan & Hijazi (2017)
Could HTTP cookies be used to launch cyberattacks or gather opponent information? Cookies: do they reveal defence secrets? The protection mechanism just needs one reckless user. The target website may send the cyber attacker a cookie with a unique identification code to identify them (Green, 2015). Green claims that the attacker must accept cookies and only use web protocols.
Cookies can be attacked in several ways. To secure cookies, several security procedures must be changed. In 2017, Yahoo discovered that hackers accessed 32 million user accounts without passwords via cookie forgeries (CNet, 2017). Cookies are subtle but effective. They must be well-defended. Several studies say cookies aren’t secure enough. Many online agents use cookies to understand their consumers’ needs.
1.1 Current Scenario
The Internet uses stateful and stateless protocols. A stateful protocol changes connections, processes, and processes. Disconnect and delete state data. Staatenless protocols neglect completed transactions. Nothing to remove. Bangia (2005) Stateless HTTP sends cookies. States in cookies. Two browser requests can be differentiated using cookies. Mozilla (2018)
Computers store website cookies. Text-based cookies identify people. The website tracks unique visitors. Website cookies store user preferences and behaviour. Cookies enable websites to serve relevant content when you return. Sessions are customised by F-Secure cookies. Carts and logins are cookie-stored. Cookies store user and other preferences to customise webpages. Cookies track and analyse user behaviour. Cookie-tracks Mozilla (2018). Websites can share tracking cookies. Cookies personalise content based on browsing. Cookies from F-Secure track webpage input. Data is stored on servers. Tracking cookies monitor internet use. Activity is affected by IP. Databases view logs remotely. Browser cookies update as pages or adverts load. (2013) Tom’s Guide
Website advertising is tracked by third-party cookies. The function provides accurate content. Third-party ads store cookies. Visit another site with red cookies and the same ad service. Other page banners. The service tracks both websites’ visitors. Many antivirus and antispyware products disable tracking cookies. (F-Secure).
Companies must modify marketing to boost internet sales. Traditional marketing doesn’t reach modern consumers. Most consumer marketers win. Customer-focused marketing must address tastes. The cookies store preferences. Privacy advocates detest tracking cookies. Internet users have had little privacy since their first search.
Internet actors gather user data in numerous ways. Web analytics gathers user data (Clifton, 2012). Analytics can show companies how many visitors arrived and what they did (Clifton, 2012). Web analytics tools include Google Analytics.
This paper discusses cookie specifications, weaknesses, flaw-exploiting attacks, and defences. Study suggests RFC 6265 cookie requirements. Several studies address specification errors. We examined attack tactic studies. Several studies reveal attack strategy resistance. Cookie specifications are problematic, attack methods exploit them, and defences limit them. No study estimated event scope utilising cookie definition, attack techniques, and defences. Learn the event’s numerous causes with data. Insufficient evidence supports spectrum exploration. Because prior studies concentrated on details, this one is smaller. The study will assess cookie vulnerabilities, attacks, and defences. Study explores cookie popularity determinants.
1.2 Objectives
This study aims to analyse the nature of cookies to fully understand their vulnerabilities and the specific weaknesses they possess. Understanding the functionality of cookies and the impact of their properties on security provides insight into their vulnerabilities. Understanding the cookie mechanism that impacts most individuals globally is essential. To devise new mechanisms or reinforce existing methods for cookie protection, it is important to first comprehend the vulnerabilities of cookies and identify the specific components that are susceptible.
The objective of this study is to generate findings that expose vulnerabilities in cookies, types of attacks, and mitigation strategies. Consequently, providing a comprehensive elucidation of cookie security. This study aims to address the research topics by conducting a comprehensive literature review of cookie specifications, attack methodologies that exploit vulnerabilities in these specifications, and protective measures for safeguarding cookies. The research will disclose deficiencies in cookies, methods of attack, and security mechanisms.
1.3 Problem Definition
The Thai systematic literature review will examine the question: “What are the vulnerabilities of HTTP cookies?” Secondary research questions encompass: “What types of attacks exploit vulnerabilities in HTTP cookies?” Additionally, “What defensive strategies can be employed to mitigate the assaults?” No prior studies of this magnitude have integrated cookie specifications with attack methodologies that leverage cookie vulnerabilities and defensive tactics that safeguard cookies. Numerous studies have been undertaken to examine the deficiencies and susceptibilities of cookies, along with a particular attack strategy to exploit these vulnerabilities.
The primary focus of the study is selected to provide valuable insights on the cookie features that require assessment. The initial secondary research question provides insight into the impact of cookie vulnerabilities on cookie security within the primary study issue. The final research question examines strategies to enhance cookie security.
The paper examines cookies by analysing their vulnerabilities, the attack methods that exploit these weaknesses, and the defensive measures that mitigate such attacks. The cookie strengths have been eliminated and are excluded from this investigation. This study does not examine the rationale for the utilisation or non-utilization of cookies. Cookies are the predominant method for identifying online users and sessions. Consequently, it is unnecessary to indicate whether cookies ought to be utilised or not.
2. Literature review
The research that has been done on the topic is analysed in this chapter. There are a few different perspectives regarding the topic. To begin, it is necessary to investigate the concept of digital privacy in relation to the surveillance of internet users, which is performed through the utilisation of cookies. The European Union has passed legislation that places restrictions on the preservation of information pertaining to users. After that, we will have a discussion of the fundamentals of HTTP cookies. There is no better way to monitor people than through the usage of HTTP cookies. There is a wide variety of cookies to choose from.
The literature that defines cookie specifications, the literature that explores attack methods that effect cookies, and the literature that examines defence mechanisms to minimise attacks are the primary areas of focus for this study. Aspects of cookie privacy, cookie specifications, cookie kinds, cookie vulnerabilities, cookie attack methods, and defence mechanisms to minimise attacks are the components that make up the framework of the review.
2.1 Digital Privacy
What we mean by “digital privacy” is the protection of personal information online. Information is generated through the use of public networks for either personal or business conversations. The identification of information sources is an essential part of digital privacy. In the time since Edward Snowden disclosed the materials of mass surveillance programs, there has been a conflict between legitimate spying and privacy. During a Google search, the user’s phrases, the date and time of the search, and their IP address are all recorded. The usage of the internet and surfing habits are monitored in order to generate individualised profiles. 2017 edition; Hasan, Hijazi.
Both forms of data are produced by actions taken online. One type of information is known as personally identifiable information (PII), which is often referred to as sensitive personal information. Second, there is the category of anonymous data. Names, biometrics, Social Security numbers, gender, and passport numbers are all examples of personal information. According to Hassan and Hijazi (2017), user information such as browser type, version, location, school, nation, and linked device type are all anonymous.
A directive to save data was issued to member states by the European Parliament and Council in the year 2009. In accordance with the law, Member States are required to provide subscribers and users with information that is both clear and comprehensive regarding the processing of personal data. When it comes to storing or accessing information in her terminal equipment, the subscriber or user is required to give their consent. The type of data storage or the technique of data storage is not restricted by the regulation.
Using cookies, web servers are able to follow users. Cookies have recently come under fire. Web analytics allows businesses to monitor how users navigate their websites. During the entirety of user agent sessions, cookies remain in existence and can be transferred between other domain hosts. It is possible for hosts that belong to the same domain to share resources if a user agent deems a missing Domain property to be present and it contains the current host name. As of 2011, Barth
2.2 HTTP Protocol
HTTP is an application protocol. Hypermedia, distributed, and collaborative systems use HTTP. The Internet transfers data via HTTP. http uses TCP/IP. Tutorial Links TCP/IP mixes IP and TCP. Network protocols differ. Rules and procedures are protocols. Protocols enable computer data sharing. TCP/IP connects browsers and servers. 2018 (Lifewire).
Internet communications and files are sent over TCP. Once delivered, packets are reassembled. The IP ensures data packet delivery. TCP/IP has datalink, networking, transport, and application layers. Known as application layer. Link protocols are controlled by datalink. Networks link hosts. The networking layer allows data packets to cross network boundaries.
Host communication is transported. Multiplexing, flow control, and dependability plague the transport layer. Data is standardised by app layer. Lifewire (2018) defines HTTP as client data creation and transfer. The HTTP specification addresses server answers to client requests. Three components make HTTP. Browsers send HTTP queries to servers. The client leaves the server after the request. Clients expect server responses.
The server will respond to the client after reconnecting and processing the request. HTTP is connectionless after requests. Because of this, HTTP can transfer anything. Both client and server must manage data. HTTP’s media neutrality is confirmed. HTTP lacks connections, making it stateless. Both server and client know requests. HTTP is request-and-response. HTTP is client-server. Clients request TCP/IP from servers. Method, URI, and protocol requests. Messages can comprise body content, request modifiers, and client info. Requests reach servers.
Results include success or error codes, server info, entity Meta data, and sometimes entity-body content. Protocol messages are returned. Instructional Point
HTTP uses URIs, or “Uniform Resource Identifier,” to identify resources and start connections. Send HTTP messages after connecting. Server responses and client requests are messages. A name, location, or other information is in the URI string.
3 Critical Analysis
Cookie weaknesses are found by reviewing cookie vulnerability, attack path, and protection literature. Research utilised systematic literature review. From prior knowledge, a literature review explains the phenomenon. This study analyses and synthesises research. This initiative will solve research problems using proof.
Clear and specific research questions are addressed in systematic literature reviews. A systematic literature review reduces bias and replicates. A comprehensive literature review uses several studies. We discuss the findings’ relevance and practice implications. A systematic literature review finds all relevant research, analyses its quality, and scientifically summaries its conclusions after choosing a topic (O’Brien and Guckin, 2016).
Research benefits from systematic literature reviews. Systematic literature reviews employ extraction search methods to examine all relevant research. Methodologically reviewing and summarising studies. We found, evaluated, and compiled all relevant research. A methodical literature review addresses research questions. Transparency and rigorous criteria prevent bias in systematic literature reviews. Systematic literature reviews show the phenomenon’s adaptability. An extensive literature review may reveal research gaps and areas for further study (O’Brien and Guckin, 2016).
Systematic literature reviews’ pros and cons. Systematic literature reviews moderate bias but not distortion. Critical review data extraction inclusion and exclusion criteria might misrepresent data if misused. No standard approach evaluates study validity. Reviewers may disagree on data gathering and analysis. (2016) Guckin O’Brien
Consider various factors while assessing a systematic literature review. Find relevant research first.
Next, assess the study’ methodology. Determine and decrease distortion. (2016) Guckin O’Brien
3.1 Background
A study subject starts a comprehensive literature review. The researcher’s interests dictated the study’s main focus. Reviewing books and websites revealed cookie research gaps. Found a gap. Researchers’ interests and gaps shaped this study’s objective. Duplicate research was avoided by adding two questions. The investigation sought cookie vulnerabilities, attacks, and countermeasures.
Many databases were searched after the study questions were created. Finding relevant literature with these keywords:
• HTTP cookies (7214)
• HTTP cookie requirements (2244)
• (896 results) HTTP cookie vulnerability
• HTTP cookie bug (332 results)
• HTTP cookie exploitation search results: 1259
• 1991 search results: secure HTTP cookies
• HTTP cookie protection search results: 239
We mentioned keywords above. Created cookie-specific keywords. The search results would be worthless without “HTTP” keywords. The search followed Figure 1.
Figure 1: Searches strategy
Six actions were taken to search. Study question and purpose were established. After selecting databases, search queries were created. Searches targeted specific databases. Google Books, Scholar, and JYKDOC were used.
Google was used to supplement literature evidence.
The preliminary search sought relevant materials. There were 14,175 papers found. Article titles were screened for irrelevant content. Papers were reduced to 232. The abstracts and keywords were examined to find relevant works. Paper count dropped to 112. Complete papers were reviewed to conclude the search approach. After reading, 94 important papers were selected.
After that, inclusion and exclusion criteria were set. This study’s scope and aims sought to answer the research question precisely. The study examines literature-identified shortcomings, attack techniques, and defence mechanisms. Select and critically examine relevant studies to determine quality. This thesis answers “What are the vulnerabilities of HTTP cookies?” using inclusion and exclusion criteria.
Table 4 lists inclusion and exclusion criteria.
| Criteria | Inclusion criteria | Exclusion criteria |
| Criteria 1 | Address cookies’ technical mechanisms | No technical aspects |
| Criteria 2 | Must discuss cookies in comprehensive environment | Does not address the comprehensive environment of cookies |
| Criteria 3 | Must indicate weaknesses of cookies | Lacks current, relevant information |
| Criteria 4 | Examines the factors that affect cookie function. | Lacks discussion of cookie-affecting factors |
Certain criteria were used to choose literature. The title and abstract were used to research cookies, cookie properties, weaknesses, attack methods, and defences. Adequate results affected precision. The literature evaluation included 31 books, 6 research publications, and 22 internet references after matching search results to inclusion/exclusion criteria.
The research relied on RFC 6265 (Barth, 2011), OWASP, and CVE cyber security vulnerability and exposure dictionary. The research benefited from Dubrawsky (2007, 2009, and 2010), Rustic (2014), and the EC-Council (2010, 2017). The linked documents and RFC 6265 specification were examined in this study, supporting and challenging its specification.
Cookies were defined and faults found in RFC 6265. The specification included more information to help understand cookies, the cookie protocol, their mechanics, and more.
Search results were manually classified and documented.
The categories were: Specification – Weakness or vulnerability Technique of attack Defence mechanism
Meta-analysis compared comparable queries. The similarities were examined to diversify cookies. To avoid repetitions, searches were recorded.
Next, study quality was appraised. Quality was assessed by monitoring research design, execution, and reporting. If the literature design, conduct, and reporting were solid, the study continued. There were studies that answered the research question. Study inclusion was met. Removed irrelevant studies.
The literature review concluded with search results. We published understandable search results. Results were tabulated for analysis. Review and discuss outcomes.
3.2 Issue Identification
This analysis largely relies on documents detailing cookie technical specs, attack tactics, and defence strategies. To verify the documents’ results, researchers review the evidence online. Modifying or adding components to tests can change results.
Repeating the study with the same methods and literature should generate similar results. An inquiry with technical testing may generate various results. When findings differed, requirements were changed. Cookie operation is well-defined. Changes in attack plans and tactics may provide different results. However, cookie requirements and functions work well in practice. Thus, cookies and attacks must be altered to produce different effects.
This study answered research questions. This study investigated cookie vulnerabilities, attack techniques, and defences. Cookies’ vulnerabilities and weaknesses were thoroughly explained by the research. Attack techniques that exploit cookie vulnerabilities were also found. The study also suggested environmental cookie protection techniques.
4 Summary
Cookies are flawed. Information security is difficult because attack methods change quickly while defence systems don’t. Cookies are essential to web service user experiences. The use of cookies is challenging. As a strategy, cookies are vulnerable and biassed as an incomplete component with promise, but severe attack methods might cause serious arbitrary implications. This section discusses study findings. First, cookie weakness results are provided. Results on attack and defence techniques follow.
4.1 Weaknesses of HTTP Cookie
Cookies can make developers use ambient authority. Remote parties could distribute user agent HTTP requests utilising ambient authority. Any web server that uses cookies for authentication allows this. Security risks arise from user authentication cookies. Attacker could use CSRF. This issue may complicate the debut.
Cookies encourage web servers to separate designation and permission. Thus, an attacker can specify user agent-authorized resources. A web server or its clients may accomplish an attacker’s tasks. Evil will be punished.
All data inputs are dangerous. Internet services should verify user input. Never trust user reviews. Web service inputs are fragile.
Problematic cookies contain session identifiers. Attackers can transfer session identifiers from cookies to the victim’s user agent. Thus, the victim can communicate with a web server using session identification. The transplanted session identification contains the victim’s login or sensitive data. The unset secure property in cookies lets an attacker intercept outbound user agent requests and hijack searches even with HTTPS. If the cookie has the session ID, this may happen. By intercepting HTTP requests, the attacker can redirect them to a web server. User agent cookies are included in HTTP requests even if the web server does not listen.
HTTPS protects cookies better than HTTP. Cookies are sent in clear text across insecure networks. Cookie and Set-Cookie headers may contain sensitive data that can be overheard.
Malicious intermediaries may discard headers during insecure transfer. A rogue client could alter the Cookie header before delivery.
Missing Domain characteristics may be misconstrued as the host name by user agents. Other domain hosts can receive cookies. Because user agents can only hold so much data, they may delete cookies. Hackers can store several cookies on the victim’s agent. User agents must delete cookies after the storage limit.
4.2 Attack Types and Defense Methods
We must emphasise that no defence plan can guarantee perfect security against developing attack techniques. Design cookie-attack defences on the idea that they will be compromised. Developers should evaluate how attackers could attack or compromise the function being created. No foolproof measures exist.
Attackers should have more difficulty.
Table 5 lists cookie problems, attack techniques, and defences.
| Weakness | Attack method | Definition | Defense mechanism |
| Identification cookies (ambient authority cookies) | CSRF, cookie poisoning | Request origin cannot be reliably authenticated. | Separately check source and target origins. Same Site attribute should be set to strict mode. Web application firewall should be used. |
| Separating designation (URLs) from authorization (cookies) | CSRF | A resource designated by an attacker might be supplied authorization by a legitimate user. | Authorisation should not use cookies. URLs could be capabilities. Same Site attribute should be stringent. |
| Untrusted data inputs | XSS | Script designed to extract cookie data can be injected into a web site by an attacker. | Avoid untrusted data inputs. Set the HttpOnly flag |
| No integrity for sibling domains and their subdomain | Cookie injection from related hostnames | Sibling domains (like foo.website.com) can set cookies with another domain’s Domain attribute value (like website.com) and override cookies set by other domains (like bar.website.com). |
4.3 HTTP Cookie Confidentiality
Information is protected from harmful operators while permitted operators can access it. Allow only authorised users to access sensitive data. Usually, encryption ensures confidentiality.
The report shows cookie secrecy is low. Results fix server-side isolation flaws shown by port, scheme, and path. Cookies are exposed when server services on different ports are not segregated. Multiple services on a server can read the same cookie. Different server services on different ports may write cookies that one service may. Many host ports should not run untrusted services. No security-sensitive data should be saved in cookies by hosts.
Lack of scheme isolation affects cookie secrecy. HTTP and HTTPS use cookies. Cookies can be accessed over FTP without isolation. Cookies lack scheme separation, thus processing demands reflect this.
Cookies don’t isolate pathways, research shows. Non-HTTP APIs let user agents access path-specific cookies. A few user agents separate resources from distinct pathways. Resources from other paths can access cookies from one.
4.4 HTTP Cookie Integrity
Data integrity means consistency, accuracy, and confidence. Non-authorized operators should not convert data during transmission.
HTTP and HTTPS cookies do not guarantee server-side integrity for sibling domains and subdomains. Cookies from foo.website.com may have a different Domain attribute value than the sister domain. Overwrite the web server’s subdomain’s Domain attribute. This user agent sends subdomain cookies and HTTP requests. Subdomains may not distinguish cookies from self-set cookies. A subdomain can target other host domains.
Cookie Path is unreliable. User agents accept Set-Cookie header Path attributes. Attackers can inject cookies into Cookie headers. An attacker can imitate web server responses. HTTPS servers can’t distinguish attacker-injected cookies from HTTPS response cookies. Thus, even if the web server only sees HTTPS, an attacker can steal cookies.
A malicious user can inject cookies into https://website.com/’s Cookie header, mimic replies, and inject Set-Cookie. The HTTPS answer from website.com cannot distinguish between attacker-injected and server-set cookies. Although the server uses HTTPS, the attacker can still attack. Encrypting and signing cookies may lessen these risks. But the attacker can replay a cookie from the real website.com server in the user’s session. Thus, cryptography cannot stop all attacks.
RFC 6265 lacks confidentiality and integrity techniques. The domain setting the cookie is not always authorised by browsers.
5. Discussion
What are HTTP cookies’ weaknesses? was our master’s thesis. Secondary research included “What attacks use HTTP cookie flaws?” . “What defence mechanisms can reduce attacks?”
A lot of cookies are bad. Developers may utilise cookies for ambient authentication. The system is vulnerable to CSRF since cookies are “ambient authority” for authentication. Sessions may be fixed using session-identifier cookies. Cookies should not save session IDs, according to most studies.
Cookies don’t authenticate. Attackers can access websites via cookies. Cookies don’t protect session IDs. Attackers target session ID cookies, according to many sources. Hackers with session identifiers might wreak major damage. Many large-scale cookie assaults may destroy users and web servers.
Cookies should not verify users. URLs are designated and permitted. Secrets would replace cookies in URLs. App security improves. A remote entity must reveal the secret.
Developers must set the secure flag in cookies and send them via HTTPS to use the secure attribute. When sending cookies across encrypted networks, set the secure flag. Attackers can see active queries with insecure cookies. The Secure property does not safeguard cookies. Cookie privacy is protected by secure. Cookie secrecy but not integrity are protected by HttpOnly. It’s intriguing that cookies degrade. Nothing separates cookies by port, scheme, or path on the server. Without quarantine, siblings and subdomains are intact. Path lacks integrity. Cookies lack privacy. Cookies mostly follow a 1994 draft, thus this is possible. Examine the cookie model and processes to find all threats.
Attacks sometimes exploit cookie flaws. A poisoned cookie allows an attacker access sensitive website or user data. With cookie manipulation, an attacker can generate, overwrite, or put arbitrary cookies. A cookie-stealing script can be injected into a website. CSRF allows attackers to steal identities and hurt victims. Attackers can access victims’ sessions using TCP/IP hijacking.
This study is disastrous because cookies track users, save session IDs, and keep login passwords. Trust in cookies is at jeopardy. More study on cookie functioning and vulnerabilities is needed to address the concerns broadly and protect cookies.
This study found important scientific findings. Insufficient research has been done on cookies to develop comprehensive answers. Cookies should be studied by science and software engineers to improve solutions. This study can identify and exploit flaws.
There are no cookie threat defensive solution models in the literature. Due to their global impact, cookie protection must be studied. No new cookie defensive strategies are addressed in this study. Literature and standards inform defence. Assessing cookie risks and weaknesses requires more research.
Most conclusions are trustworthy. RFC 6265 was investigated. This paper confirms the study’s conclusions. Many studies use the cookie data.
More research is needed after the study. Study cookies’ lack of port, scheme, or path segregation to uncover explanations. Cookie science research also focusses on improving cookie security by strengthening and updating attributes.
6. Conclusion
Cookies are common in online services. This study examined cookies to find weaknesses. Weaknesses prompt exploitative conduct. Defences should protect cookie operation. Cookies have vulnerabilities, attack methods can exploit them, and defence mechanisms can minimise attacks. The study examined cookie function and attributes to identify their shortcomings.
A thorough literature review was done to understand the phenomenon from previous research. The studies’ quality was carefully considered. The study used comprehensive literature review.
This study found that cookies and their environment are vulnerable to attack. The findings must inform future research. Research shows cookies have distinct defects.
According to statistics, cookies lack port, scheme, and path isolation, a negative. Cookies are weaker because they do not protect sibling domains and subdomains. Cookie attributes lack integrity. Secure, HttpOnly, and Path only protect cookie privacy. Cookies are vulnerable to attacks owing to integrity issues. Cookies’ overall security is bad.
Cookies’ vulnerabilities may be exploited by numerous attacks. Cookie poisoning, hijacking/stealing, manipulation, XSS, CSRF, and TCP/IP hijacking are all methods of exploiting the vulnerabilities. These assaults capitalise on research deficiencies. The findings should be validated by implementing the defence strategies outlined in the findings to test the effectiveness of the attack methods.
The research proposed numerous cookie defences to mitigate attacks. When transmitting the cookie over a secure connection, specify “secure.” To prevent arbitrary scripting, set HttpOnly. Configure SameSite to prevent cross-site cookie requests. In order to send cookies to specific domains, subdomains, folders, and subdirectories, the domain and path characteristics must be configured.
The results of this investigation should serve as an incentive for additional investigation. If the results are inaccurate, it is imperative to conduct a comprehensive investigation in order to identify potential solutions. Cookie defect issues have been identified in numerous studies. Take the issue into account.
References
Ansari, J. (2015). Web Penetration Testing with Kali Linux. Birmingham : Packt Publishing Ltd.
Anto, Y. (2012). The Art of Hacking. Saarbrücken : LAP LAMBERT Academic Publishing GmbH & Co
Alcorn, W., Frichot, C. & Orrù, M. (2014). The Browser Hacker’s Handbook. Indianapolis : John Wiley & Sons, Inc
Barrett, D., Weiss, M. & Hausman, K. (2015). CompTIA Security+ SYO 401 Exam Cram. Indianapolis : Pearson Education, Inc. Boland, A., Cherry, G. & Dickson, R. (2017). Doing a Systematic Review : A Student’s Guide. London : SAGE Publications Ltd.
Bangia, B. (2005). Internet and Web Design. New Delhi : Firewall Media.
Clifton, B. (2012). Advanced Web Metrics With Google Analytics. (Third edition). Indianapolis : John Wiley & Sons, Inc
Ciampa, M. (2012). Security+ Guide to Network Security Fundamentals. (Fourth edition).
Chen, F., Duan, H., Zheng, X., Jiang, J. & Chen, J. (2018). Path Leaks of HTTPS Side-Channel by Cookie Injection. Constructive Side-Channel Analysis and Secure Design.
Dubrawsky, I. (2010). Eleventh Hour Security+. Burlington : Elsevier Inc
Dubrawsky, I. (2009). CompTIA Security+ Certification Study Guide. Burlington : Syngress Publishing, Inc.
Dulaney, E. (2009). Comptia Security+ Study Guide. (7th edition). Indianapolis : John Wiley & Sons, Inc.
EC-Council. (2010). Ethical Hacking & Countermeasures : Threats and Defence Mechanisms. (2nd edition).
EC-Council. (2017). Ethical Hacking & Countermeasures : Web Applications and Data Servers.
Engebretson, P. (2011). The Basics of Hacking and Penetration Testing : Ethical Hacking and Penetration Testing Made Easy. (2nd edition). Waltham : Elsevier, Inc.
European Union. (2009). Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009. Official Journal of the European Union.
Green, J. (2015). Cyber Warfare : A Multidisciplinary Analysis. Abingdon : Routledge.
Oriyano, S. & Shimonski, R. (2012). Client-Side Attacks and Defence. Waltham : Elsevier Inc.
Wu, H. & Zhao, L. (2015). Web Security : A Whitehat Perspective. CRC Press.
Zhang, Y., Wang, Z. & Xia, C. (2010). Identifying Key Users for Targeted Marketing by Mining Online Social Network. IEEE 24th International Conference on Advanced Information Networking and Applications Workshops, 644-649.
Zhu, Y. (2016). A Book Recommendation Algorithm Based on Collaborative Filtering. 5th International Conference on Computer Science and Network Technology, 286-289
