Activity Processors: Cookie Protection Processor: Incident - Application Cookie Manipulation

Complexity: Low (2.0)

Default Response: 1x = Warn User and Logout User. 2x = 5 day Clear Inputs.

Cause: WebApp Secure is designed to provide additional protection to cookies used by the web application for tracking user sessions. This is done by issuing a signature cookie any time the web application issues a "protected cookie"(which cookies to protect is defined in configuration). The signature cookie ties the application cookie (such as PHPSESSID) to the WebApp Secure session cookie. If any of the 3 cookies are modified (WebApp Secure session cookie, signature cookie, or the actual application cookie), then this incident will be triggered, and the application cookie will be terminated (effectively terminating the users session). This prevents any users from manually creating a session cookie, hijacking another users cookie, or manipulating an existing cookie.

Behavior: Manipulation of cookies is generally performed in order to hijack another user's session. However because cookies represent another type of application input, modifications could also be performed to attempt other exploits. If the modified value resembles a legitimate value for the application cookie, then this is likely a session hijacking attempt. If the cookie contains other values that are clearly not valid, then it is more then likely an attack on generic application inputs such as a "Buffer Overflow", "XSS", "Denial of Service", "Fingerprinting", "Format String", "HTTP Response Splitting", "Integer Overflow", and "SQL injection" attack among many others.

Note: For information on the attack types mentioned here, go to The Web Application Security Consortium Web Site and search for the attack name to learn more about it.