Professional Documents
Culture Documents
Cookie Manipulation
Cookie Manipulation
Description
HTTP is a stateless protocol. In 1994, Netscape invented a mechanism called a cookie as a method for session tracking. A cookie is a small piece of information usually created by the Web server and stored in the Web browser. Each time the user contacts the Web server, this data is passed back to the server. The cookie contains information used by Web applications to persist and pass variables back and forth between the browser and the Web application. There are two types of client-side cookies:
Persistent cookies: Which are stored in a file on the client until an expiry date. Session cookies: Which are kept in the memory of the client until the session is ended.
As a result of the cookie structure and their usage, all data stored in a client-side cookie could be easily read and manipulated. The risk of tampering with data and even information disclosure is very high. Due to the fact that many cookies are Base64 encoded, no cryptographic protection is offered. The best practice to avoid cookie manipulation is to be suspicious of data stored in cookies.
Examples
Example Code (Cookies sent by the server, the first one being persistent) HTTP/1.1 200 OK
... Set-Cookie: client=a5b35e36-b342-464ba3a6-8e3718990af9; domain=.sap.com; expires=Wed, 18-Jan-2006 11:38:56 GMT; path=/ Set-Cookie: ASP.NET_SessionId=c12ylm55kp3uirruo4is5sm5; path=/ ... Example Code (Cookie sent by the client): POST /index.epx HTTP/1.1 ... Cookie: GCUID01=452492715; GCCKVER=5; ASP.NET_SessionId=c12ylm55kp3uir ruo4is5sm5; client=a5b35e36-b342-464b-a3a6-8e3718990af9
When dealing with cookies, take the following security considerations into account:
Store all data in a server-side cookie. Do not store ANY data in a client cookie, unless you absolutely have to. Hackers can easily manipulate client-side cookies. Use the session management that the SAP NetWeaver platform provides. Do not create your own. Never store any confidential data in a cookie, such as the non-public IP addresses of target servers, host names, or system IDs. If information of this type is important for control, you should use a hash procedure for one-way encryption of the data. Use idle timeouts for applications that expose private data or that may cause identity theft if left open. Offer a logout mechanism to the user, to manually shorten the time until a session timeout will end the session automatically.
Using the methods of the ABAP class CL_BSP_SERVER_SIDE_COOKIE to set, get, delete and manage cookies, attention has to be paid to the parameters username and session_id within the appropriate methods. It is ambiguous to pass sy-user to the parameter username for applications started by an anonymous user stored on the server. It would be better to use session_id since runtime->session_id indicates the browser session. For more information about this issue, see Class CL_BSP_SERVER_SIDE_COOKIE.
Examples
Example Code 1 Original Cookie Cookie: lang=en-us; ADMIN=no; y=1; time=10:30GMT; Cookie Modified by an Attack Cookie: lang=en-us; ADMIN=yes; y=1; time=12:30GMT; Example Code 2 Shopping carts used to store pricing information in cookies. Part of a Shopping Cart Applications Cookie item1_ID=12369&item1_pr=27,95&item2_ID=10334&item2_pr=19,95 > Total Amount: $47,90 Manipulated Cookie item1_ID=12369&item1_pr=0,95&item2_ID=10334&item2_pr=1,95 > Total Amount: $2,90
Further Information
OWASP Guide Version 2.0.1 (Pages 147 160) surfnet.dl.sourceforge.net/ sourceforge/owasp/ OWASPGuide2.0.1.pdf