Automate the verification of session cookie attributes

Authors

DOI:

https://doi.org/10.20535/2411-1031.2024.12.1.306260

Keywords:

cookies, vulnerabilities, CSRF, web application, security, session

Abstract

In this research, we focus on a critical web security topic, namely the security of session cookies, which play a key role in the functioning of modern web applications. As a standard mechanism for storing data on the client side, cookies are crucial for authentication, authorization and maintaining the state of a user's session. However, despite their necessity and convenience, cookies can also pose serious security risks. Our research focuses on the analysis and automation of cookie attribute verification, which is critical to ensuring protection against various web attacks. Identifying and eliminating weaknesses in cookie attributes can significantly reduce the risk of malicious attacks such as session hijacking, cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. We take an in-depth look at modern methods and tools for securing cookies, including implementing strict policies on cookie attributes such as Secure, HttpOnly, and SameSite. These attributes help to restrict access to cookies from unauthorized use via client-side scripts and provide additional protection against cross-site attacks. In addition, we consider the importance of updating the cookie standard, RFC6265bis, which offers improved security mechanisms, including the SameSite attribute, which allows controlling the sending of cookies during cross-requests, thereby reducing the risk of CSRF attacks. Our research also includes an analysis of potential threats and vulnerabilities associated with the misuse or misconfiguration of cookies, as well as a discussion of strategies to minimize these risks. We demonstrate how detailed automated verification of cookie attributes can significantly improve the security of web applications. The results of the study point to the need to constantly monitor and evaluate the protection of session cookies, as well as the importance of implementing security best practices and standards to ensure the reliability and security of web applications.

Author Biographies

Anastasiia Tolkachova, Lviv Polytechnic National University, Lviv

master's degree student, information security academic department

Danyil Zhuravchak, Lviv Polytechnic National University, Lviv

post graduate student, assistant of the information
security academic department

References

J.S. Park, and R. Sandhu, “Secure cookies on the Web”, IEEE Internet Comput., vol. 4, no. 4, pp. 36-44, 2000. Accessed: Feb. 26, 2024, doi: https://doi.org/10.1109/4236.865085.

H. Kwon, H. Nam, S. Lee, C. Hahn, and J. Hur, “(In-)Security of cookies in HTTPS: Cookie theft by removing cookie flags”, IEEE Trans. Inf. Forensics Secur., vol. 15, pp. 1204-1215, 2019, doi: https://doi.org/10.1109/tifs.2019.2938416.

V. Khu-smith, and C.J. Mitchell, “Enhancing the security of cookies”, in Proc. 4th Int. Conf. Secur. Cryptol. – ICISC 2001, Seoul, Korea, 2001, doi: https://doi.org/10.1007/3-540-45861-1_11.

Y. Tolkacheva, O. I. Garasymchuk, and I. R. Opirsky, “Security analysis of the oauth protocol”, Bulletin of Lviv State University of Life Safety, vol. 27, pp. 67-76, June. 2023. [Online]. Available: https://doi.org/10.32447/20784643.27.2023.08. Date of access: Feb. 26, 2024.

“Cookies: An HTTP state management mechanism”, IETF Datatracker. [Online]. Available: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03. Accessed: Feb. 26, 2024.

Y. Lakh, E. Nyemkova, A. Piskozub, and V. Yanishevskyi, “Investigation of the broken authentication vulnerability in web applications”, in Proc. 11th IEEE Int. Conf. Intell. Data Acquisition Adv. Comput. Syst: Technol. Appl. (IDAACS), 2021, doi: https://doi.org/10.1109/IDAACS53288.2021.9660889.

Ya. Stefinko, A. Piskozub, and R. Banakh, “Manual and automated penetration testing. Benefits and drawbacks. Modern tendency”, in Proc. 13th International Conference on Modern Problems of Radio Engineering, Telecommunications and Computer Science (TCSET), 2016, doi: https://doi.org/10.1109/TCSET.2016.7452095.

“OWASP Top Ten”, OWASP Foundation. [Online]. Available: https://owasp.org/www-project-top-ten. Accessed on: Feb. 26, 2024.

“Welcome to python.org”. Python.org. [Online]. Available: https://www.python.org/. Accessed: 26 Feb. 2024.

А. Piskozub, D. Zhuravchak, and A. Tolkacheva, “Researching vulnerabilities in chatbots with LLM (Large Language Model)”, Ukr. Scient. Jour. Inf. Secur., vol. 29, iss. 3, pp. 111-117, 2023, doi: https://doi.org/10.18372/2225-5036.29.18069.

J.M. Gomes, “Secure, HttpOnly, SameSite HTTP Cookies Attributes and Set-Cookie Explained”, Medium. [Online]. Available: https://medium.com/swlh/secure-httponly-samesite-http-cookies-attributes-and-set-cookie-explained-fc3c753dfeb6. Accessed on: Feb. 26, 2024.

“Using Burp to Hack Cookies and Manipulate Sessions”, PortSwigger. [Online]. Available: https://portswigger.net/support/using-burp-to-hack-cookies-and-manipulate-sessions. Accessed on: Mar. 12, 2024.

“Cross-site scripting”, PortSwigger. [Online]. Available: https://portswigger.net/web-security/cross-site-scripting. Accessed on: Mar. 13, 2024.

“Cookies Having Independent Partitioned State (CHIPS)”, Google for developers. [Online]. Available: https://developers.google.com/privacy-sandbox/3pcd/chips. Accessed on: Mar. 15, 2024.

“JavaScript”, MDN Web Docs. [Online]. Available: https://developer.mozilla.org/en-US/docs/Web/JavaScript. Accessed on: Mar. 10, 2024.

“Choose and download Firefox Browser in your language”, Mozilla. [Online]. Available: https://www.mozilla.org/uk/firefox/all/. Accessed: 26 Feb. 2024.

Downloads

Published

2024-06-27

How to Cite

Tolkachova, A., & Zhuravchak, D. (2024). Automate the verification of session cookie attributes. Collection "Information Technology and Security", 12(1), 68–79. https://doi.org/10.20535/2411-1031.2024.12.1.306260

Issue

Vol. 12 No. 1 (2024)

Section

NETWORK AND APPLICATION SECURITY

License

Copyright (c) 2024 Collection "Information Technology and Security"

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The authors that are published in this collection, agree to the following terms:

  1. The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
     
  2. The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
     
  3. Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).