HTTP cookies also called web cookies, internet cookies, browser cookies or simply as cookies. These are some kind of encoded form of text which is sent from the website. These are stored in the client system or the user's system. These do record every information that is done by the client like logging in clicking on some advertisement, adding something to the cart, and the pages visited by the client(the user). These are also used to remember the previously entered usernames, passwords, and some previously used card details
There are some kind of special cookies like authentication cookies so these are used for some authentication purposes, such that the user is logged in or not ,is that account is logged in in some other devices or not.T he security of the authentication is mainly dependent upon the cookie issued by the website and the level of encryption. Such that the vulnerabilities could make the hacker to read the cookies and gets the access to the data in the user's accounts
How these can be misused¶
Types of Cookies¶
- Session Cookies.
- Persistent Cookies.
- Secure Cookies.
- HTTP-only Cookies.
- Same-site Cookies.
- Third-party Cookies.
- Super Cookies.
- Zombie Cookies.
These cookies are also known as in-memory cookies, transient cookies, and non-persistent cookies. These exist only in temporary memory and while user travels forms one website to another website. These cookies will be deleted by the web browser after the user closes the web browser. These cookies do not have any type of expiry date or expiration time assigned to them, this is how the browser knows how to use session cookies.
As we know that session cookies don't have any time-related expiration time or some expiry date, but persistent cookies do have an expiry date so some length of time for expiration. So it means that as long as these cookies expire the cookie will be sending the data to the server as the client or the user uses visits the website or if the user uses the information belonging to the website from another website.
So these cookies or also called as Tracking Cookies so these can be used by the advertisers to track the list of the sites visited by the user over a period of time. These are also used for the legitimate reasons (keep some logged in accounts to avoid the reentry of our credentials for every visit) However these cookies would be rested after the expiration time or if it is deleted manually.
These Secure cookies or transmitted only when the connections are secure so that these might no be captures while the connection was insecure (unencrypted connections). And these cookies are made more secure by adding some kind of Flag to the cookie.
Http-only is the type of cookies that cannot be captured by the client-side API's. These restrictions do not allow the cookie theft via cross-site scripting (XSS) However these cookies are vulnerable to the cross-site tracing(XST) and cross-site request forgery(XSRF) attacks. A cookie is given this characteristic by adding the HttpOnly flag to the cookie.
These cookies are introduced in Google version 51, called Same-site cookies these cookies will only be sent in the request of the originating from the same origin to the target domain, so to restrict some types of attacks like cross-site request forgery. These cookies are given characteristic by setting the same-site flag to Strict or Lax.
Normally a cookie's domain attribute will match the domain that is shown in the address bar of the web browser. These are called first party cookies. Whereas the third-party cookie belongs to a different domain that is shown in the address bar. This type of cookies will appear when a webpage contains some external contents from other websites such as advertisements or visiting their website. If we are using some website named xyz.com we will be having the cookies of xyz and an advertisement for some another website called abc.com. So it is eventually both these cookies are sent to the advertiser when loading or visiting their website. So the advertiser can use the cookies to know the browsing history of the user that have his advertisements from this advertiser.
Some years back some companies have set the cookies that are readable by 100 third-party domains. On an average website are setting 10 cookies with a maximum limit of 800 cookies
But the modern web browsers containing the privacy settings can block the third-party cookies.
Super cookie is a cookie which is originated with the top level domains such as .com or for some public suffix such as .co .uk. But ordinary cookies have an origin of a specific domain name, such as abc.com.
These cookies are having some high-security concern and are therefore often blocked by the web browsers.In case if the web browser accepts the cookie and if the attacker is in control of the malicious website he could set a super cookie which would redirects the user to another website that shares the top level domain or public suffix as the malicious websites. For example, if a super cookie with an origin of .com could affect the request of the abc.com even if the cookie does not originate from abc.com.So that it can be used for the fake logins and change in the user information.
The public suffix helps to migrate the risks that super cookie could cause. The public suffix list cross-vendor initiative that aims to provide an accurate and up-to-date list of domain names and suffixes.
This super cookie sometimes is also used for tracking purposes that do not relate to HTTP cookies. These mechanisms were found at Microsoft website in August 2011. Due to media attention, they disabled these cookies
How to edit the cookie¶
1 2 3
How to change the cookie¶
You should click on the icon and delete the cookie in your browser by clicking on the delete button that is the first button from left.
To add a new cookie click on import button that is fourth from the left side, by pasting the cookie in the given space
To export or to send the cookie click on the export button and it gets copied to the clipboard and you can paste and send where ever you want.
After adding some cookie we have to click on the tick mark that is below to confirm the changes