Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Session Cookie Spoofing

    Complexity: Low (2.0)

    Default Response: 1x = Logout User, 2x = 1 Day Clear Inputs, 3x = 5 Day Clear Inputs

    Cause: WebApp Secure uses an HTTP cookie as one of the components of its fingerprinting technology. The session cookie is comprised of an AES-encrypted and base64-encoded numerical ID and a validation signature. Because the cookie has its own embedded digital signature, any attempt to fabricate or modify a session cookie will almost always result in a corrupted signature. If WebApp Secure detects that a cookie being provided has an invalid signature, but otherwise uses the correct format, it will trigger a "Session Cookie Spoofing" incident.

    Behavior: Session cookies are commonly used by a web application order to facilitate state. HTTP, by itself, is not a stateful protocol, and without technologies like cookies, a web application would be unable to correlate requests made by the same user. When an attacker attempts to modify a cookie, especially when they are careful to follow the same format constraints as the original value (22 letters and numbers, or 16 hex characters, etc), they are attempting to modify their state. If for example, an attacker were able to successfully guess the session cookie value of another actively logged in user, they would be able to assume that user's state (including their authentication and authorization levels). This is referred to by the WASC as a "Credential and Session Prediction" attack (see Credential and Session Prediction for information.)

    Published: 2013-11-20