Session Cookie Tampering

Complexity: Medium (3.0)

Default Response: 1x = Logout User, 2x = 1 Day Clear Inputs, 3x = 5 Day Clear Inputs

Cause: WebApp Secure uses an HTTP cookie as one of the components of its fingerprinting technology. The session cookie is comprised of an AES-encrypted and base64-encoded numerical ID and a validation signature. Because the cookie has its own embedded digital signature, any attempt to fabricate or modify a session cookie will almost always result in a corrupted signature. If WebApp Secure detects that a cookie being provided does not have a valid signature, and does not follow the correct format, it will trigger a "Session Cookie Tampering" incident.

Behavior: Session cookies are commonly used by a web application order to facilitate state. HTTP, by itself, is not a stateful protocol, and without technologies like cookies, a web application would be unable to correlate requests made by the same user. However, just like form parameters and query string parameters, cookies represent another type of user-input. Just about any attack that can be accomplished by injecting malicious values into a form input (SQL injection2, XSS3, Buffer Overflow4, Integer Overflow5, and so on.), could also potentially be accomplished by injecting malicious values into the session cookie. An aggressive hacker would likely test for multiple vulnerability types in all form inputs, query parameters, and cookies, because these are the inputs most likely to be insecurely handled.

Note: For information on the attack types mentioned here, go to The Web Application Security Consortium Web Site and search for the attack name to learn more about it.