Web application security - the fast guide Chapter 5: Attack Execution - the client

Altering cookies Attack requirement: A. Existence of a cookie used to store state information B. The used cookie is used directly without being checked by the server. Attack process A. Using a proxy capture the request or the response writing the cookie. B. Alter the cookie value after intercepting request or response. C. Release the altered request or response. 2017-05-10 Send a request to sever Intercept request with Burp Send a response with legitimate cookie Alter and retransmit Write altered cookie on the client Send Altered cookie with privileged value to sever Send a privileged response Web Application Security Fast Guide (book slides) By Dr.Sami Khiami Slide 4

Web application security - the fast guide Chapter 5: Attack Execution - the client | Page 4