Welcome to Scribd!

Cookies: Troy Hunt @troyhunt

Uploaded by

0% found this document useful (0 votes)

59 views7 pages

Cookies are pieces of text stored in a browser that are used to exchange information between a web server and browser. The document discusses various attributes of cookies including HttpOnly, secure, path, and expiration that can be configured to increase security. Specifically, it recommends using HttpOnly to prevent client-side script access, secure to only transmit over HTTPS, limiting the path scope, and expiring cookies quickly or using session cookies to reduce risk.

Original Description:

Original Title

4-hack-yourself-first-m5-slides

Copyright

Available Formats

PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

Download as pdf or txt

0% found this document useful (0 votes)

59 views7 pages

Cookies: Troy Hunt @troyhunt

Uploaded by

nicolas ortiz

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

Download as pdf or txt

Jump to Page

You are on page 1of 7

Search inside document

Cookies

Troy Hunt
troyhunt.com
@troyhunt
Outline

 Cookies 101
 Understanding HttpOnly cookies
 Understanding secure cookies
 Restricting cookie access by path
 Reducing risk with cookie expiration
 Using session cookies to further reduce risk
Cookies 101

 Cookies are nothing more than simple pieces of text stored in the
browser:
Set-Cookie: name=value;

[page contents]

 The server may set a cookie via the HTTP response header…
 …or it may be set (and read) via JavaScript directly in the DOM
 Cookies are automatically passed back to the website in the header of
each request:

GET http://hackyourselffirst.troyhunt.com/ HTTP/1.1

Cookie: name=value;
Understanding the HTTP cookie exchange

Resource is requested

Server responds with Set-Cookie in the header

Subsequent requests automatically send the cookie

Cookie security

 Cookies frequently contain data of a sensitive nature

 We saw this with the auth cookie in the last two modules
 Browsers implement native defences to protect cookies to some
degree
 But this can still be exploited by attacks such as XSS
 Cookies can be further secured by understanding and tuning their
attributes
Cookie attributes

 Domain Set-Cookie: name=value;

 Path Domain=hackyourselffirst.troyhunt.com;
Path=/;
 Expiration
Expires=Sat, 10-Aug-2013 07:12:19 GMT;
 HttpOnly
HttpOnly;
 Secure Secure;
Summary

 Cookies are a fundamentally simple concept yet they are frequently

configured in a sub-optimal fashion in terms of security
 Default framework configurations can often exacerbate this
 HttpOnly is absolutely essential if the cookie isn’t required to be
accessed via client script
 Any cookie holding data of a sensitive nature should always be
marked as “secure”
 Don’t allow important cookies like auth cookies to travel over HTTP
connections
 Consider the path scope of a cookie; can you limit the important ones?
 Try and expire cookies as quickly as possible
 Short expirations or session cookies are ideal…
 …but consider the adverse impact to usability and strike a happy balance

E B Tylor and The Anthropology of Religion
Document7 pages
E B Tylor and The Anthropology of Religion
lewis_cynthia
100% (1)
Exploiting Active Directory Administrator Insecurities: Sean Metcalf S e A N at Adsecurity - Org
Document163 pages
Exploiting Active Directory Administrator Insecurities: Sean Metcalf S e A N at Adsecurity - Org
nicolas ortiz
No ratings yet
Advanced IP-Chapter-5 - Lect-11-PHP Cookies & Sessions
Document35 pages
Advanced IP-Chapter-5 - Lect-11-PHP Cookies & Sessions
Abrham Tegegne
No ratings yet
PHP Cookies
Document9 pages
PHP Cookies
deepblue5991
No ratings yet
Module 5.6: Cookies, Frames and Frame Busting
Document13 pages
Module 5.6: Cookies, Frames and Frame Busting
Harpreet Singh
No ratings yet
Lecture 31
Document15 pages
Lecture 31
api-3729920
No ratings yet
2022 12 27 ZAP Report
Document7 pages
2022 12 27 ZAP Report
RandomG05
No ratings yet
Cookies: BY Aravind, Helvin M Geevar, Sowmya, Thamjeeth, Saran
Document18 pages
Cookies: BY Aravind, Helvin M Geevar, Sowmya, Thamjeeth, Saran
ROHITSARAN.SACHIN
No ratings yet
PHP - Cookies: The Anatomy of A Cookie
Document4 pages
PHP - Cookies: The Anatomy of A Cookie
survivalofthepoly
No ratings yet
Chap4 Cookies
Document11 pages
Chap4 Cookies
Tanmay Vaij
No ratings yet
OWASPLondon20171130 Cookie Security Myths Misconceptions David Johansson
Document32 pages
OWASPLondon20171130 Cookie Security Myths Misconceptions David Johansson
pikatsu pokemon
No ratings yet
Working With Cookies: Presentation On
Document9 pages
Working With Cookies: Presentation On
vijay
No ratings yet
Cookies in ASP
Document4 pages
Cookies in ASP
aravinddasa715
100% (1)
Client-Side Authentication The Right Way (Cookies
Document3 pages
Client-Side Authentication The Right Way (Cookies
CJ Ho
No ratings yet
Authentication and Authorization Lecture 7
Document42 pages
Authentication and Authorization Lecture 7
emome3419
No ratings yet
Website Development Using PHP & Mysql: Fcait BCA
Document21 pages
Website Development Using PHP & Mysql: Fcait BCA
Kartik Singhal
100% (1)
Webengenering Assignment No 3
Document5 pages
Webengenering Assignment No 3
zeeshan noor
No ratings yet
Browser Security II (Slides)
Document50 pages
Browser Security II (Slides)
Dan Vollek
No ratings yet
The Cookie Monster in Our Browsers
Document77 pages
The Cookie Monster in Our Browsers
tito123
No ratings yet
Creating/Writing Cookies: Way 1 (By Using Httpcookies Class)
Document4 pages
Creating/Writing Cookies: Way 1 (By Using Httpcookies Class)
Muthu Pandi
No ratings yet
Week 8 Dynamic Web Programming Universitas Muhammadiyah Surakarta
Document23 pages
Week 8 Dynamic Web Programming Universitas Muhammadiyah Surakarta
maryam
No ratings yet
33小铺扫描附件
Document9 pages
33小铺扫描附件
ni ko
No ratings yet
HTTP Security Headers With Nginx
Document8 pages
HTTP Security Headers With Nginx
creative.ayan
No ratings yet
1d9bchandling Cookies in ASP
Document5 pages
1d9bchandling Cookies in ASP
Darpita Saxena
No ratings yet
HTTP Header Security (Slide)
Document27 pages
HTTP Header Security (Slide)
Dan Vollek
No ratings yet
Experiment No. 4 Title: Cookies and Session Handling Using PHP
Document12 pages
Experiment No. 4 Title: Cookies and Session Handling Using PHP
gehobe2796
No ratings yet
PHP Cookies and Session
Document35 pages
PHP Cookies and Session
Shailaja Vadgaonkar
No ratings yet
Cookies & Sessions
Document26 pages
Cookies & Sessions
Merlin Mathew
No ratings yet
Web Security: Session Management: Dan Boneh
Document37 pages
Web Security: Session Management: Dan Boneh
Dhimas WP
No ratings yet
PHP Cookies
Document9 pages
PHP Cookies
BIna
No ratings yet
Lab 4 - Session - Cookies
Document7 pages
Lab 4 - Session - Cookies
Gudako Chaotic-Evil
No ratings yet
Session and Cookie
Document8 pages
Session and Cookie
Online User
No ratings yet
05-Web Application Vulnerabilities II (Website Attacks Tips)
Document4 pages
05-Web Application Vulnerabilities II (Website Attacks Tips)
fghjkl
No ratings yet
Computer Security Cheat Sheet
Document3 pages
Computer Security Cheat Sheet
t rex422
No ratings yet
Unit-IV Part-I PHP
Document4 pages
Unit-IV Part-I PHP
Suraj Bhosale
No ratings yet
Cookies and Session
Document8 pages
Cookies and Session
GODDU NAVVEN BABU
No ratings yet
Cookies
Document21 pages
Cookies
deyaataha9999
No ratings yet
Beisa Document
Document23 pages
Beisa Document
bayisadamisse
No ratings yet
Security Vulnerabilities
Document16 pages
Security Vulnerabilities
PRADEEP SELVENTHIRAN
No ratings yet
PHP - Cookies: Assistant Prof. Dr. Rafah M. Almuttairi
Document15 pages
PHP - Cookies: Assistant Prof. Dr. Rafah M. Almuttairi
Zain Alabeeden Alareji
No ratings yet
Sy306 Web and Databases For Cyber Operations Set #10: Cookies in Javascript and Python
Document9 pages
Sy306 Web and Databases For Cyber Operations Set #10: Cookies in Javascript and Python
Penghakiman Dunia Akhirat
No ratings yet
CSS Chapter 4 Notes
Document12 pages
CSS Chapter 4 Notes
pathanfarhankhan712
No ratings yet
PHP Cookies and Sessions
Document6 pages
PHP Cookies and Sessions
Sibtul Hassan
No ratings yet
Cookies
Document45 pages
Cookies
bogne
No ratings yet
Chapter 6 Cookies and Sessions
Document20 pages
Chapter 6 Cookies and Sessions
Peter Ng De Cong
No ratings yet
Chapter 6 Cookies and Sessions
Document20 pages
Chapter 6 Cookies and Sessions
EVELYN LIM JIA XUAN
No ratings yet
Configuring A Session Cookie Persistence Profile.3
Document2 pages
Configuring A Session Cookie Persistence Profile.3
sanj
No ratings yet
Cookies and Browser Data
Document53 pages
Cookies and Browser Data
psarthak1974
No ratings yet
Unit-V: Introduction To Cookies
Document32 pages
Unit-V: Introduction To Cookies
Nikhil Bindal
No ratings yet
Cookies: COEN 351 E-Commerce Security
Document27 pages
Cookies: COEN 351 E-Commerce Security
Shiva Netha
No ratings yet
Type of Cookies?: Timespan
Document2 pages
Type of Cookies?: Timespan
Sanath Murdeshwar
No ratings yet
Session Integrity
Document8 pages
Session Integrity
sdgsfdgg
No ratings yet
Website Vulnerability Scanner Report (Light)
Document6 pages
Website Vulnerability Scanner Report (Light)
Stevi Nangon
No ratings yet
15 526 Topic11
Document35 pages
15 526 Topic11
versalas24
No ratings yet
Imageid, Imageurl, Imagedes: Dbcreation - PHP //connect To The Server Using The Correct Username and Password
Document39 pages
Imageid, Imageurl, Imagedes: Dbcreation - PHP //connect To The Server Using The Correct Username and Password
duddeanudeep
No ratings yet
Sub Session Hijacking On The Web Root CA
Document25 pages
Sub Session Hijacking On The Web Root CA
Christopher Stewart
No ratings yet
Cookie Management
Document11 pages
Cookie Management
Bhautik
No ratings yet
Unit 4 (Session & Cookies) PHP
Document8 pages
Unit 4 (Session & Cookies) PHP
aaryanbhatnagar04
No ratings yet
Cookie Testing Guru99
Document9 pages
Cookie Testing Guru99
qabiswajit
No ratings yet
Mrodriguez - Wordpress.com
Document7 pages
Mrodriguez - Wordpress.com
David Fernando Olmos Moscoso
No ratings yet
Wordpress Security + Multi-Backups
From Everand
Wordpress Security + Multi-Backups
Allan Tépper
No ratings yet
ASP.NET Core Security
From Everand
ASP.NET Core Security
Christian Wenz
Rating: 5 out of 5 stars
5/5 (1)
A Journey Into A RedTeam 2018
Document67 pages
A Journey Into A RedTeam 2018
nicolas ortiz
No ratings yet
Transport Layer Protection: Troy Hunt @troyhunt
Document11 pages
Transport Layer Protection: Troy Hunt @troyhunt
nicolas ortiz
No ratings yet
Parameter Tampering: Troy Hunt @troyhunt
Document10 pages
Parameter Tampering: Troy Hunt @troyhunt
nicolas ortiz
No ratings yet
9 Hack Yourself First m10 Slides
Document7 pages
9 Hack Yourself First m10 Slides
nicolas ortiz
No ratings yet
Hack Yourself First: How To Go On The Offence Before Online Attackers Do
Document5 pages
Hack Yourself First: How To Go On The Offence Before Online Attackers Do
nicolas ortiz
No ratings yet
Cross Site Attacks: Troy Hunt @troyhunt
Document8 pages
Cross Site Attacks: Troy Hunt @troyhunt
nicolas ortiz
No ratings yet
Documentation PDF
Document87 pages
Documentation PDF
nicolas ortiz
No ratings yet
SQL - Server - Health - Check Sample
Document22 pages
SQL - Server - Health - Check Sample
nicolas ortiz
No ratings yet
The Lexical Features of English Advertisement: Abstract
Document3 pages
The Lexical Features of English Advertisement: Abstract
Regina Apsalyamova
No ratings yet
ODE Lecture 14
Document34 pages
ODE Lecture 14
PS Surya
No ratings yet
A Jjeb Lug 1 P360 1 2020
Document6 pages
A Jjeb Lug 1 P360 1 2020
Musaazi Derrick
No ratings yet
Mann. What Songs The Beatles Sang
Document2 pages
Mann. What Songs The Beatles Sang
soundsmaker
No ratings yet
Week 2 COM 101
Document34 pages
Week 2 COM 101
Jhon Mark Santonia
No ratings yet
Gse Assessment Framework Young Learners
Document28 pages
Gse Assessment Framework Young Learners
Advance Fun English Learning Centre
No ratings yet
At The End of This Chapter, The Student Can Be Able To
Document17 pages
At The End of This Chapter, The Student Can Be Able To
Johanna
No ratings yet
How To Configure Custom Listener Using TOCF (EE) in Jboss
Document15 pages
How To Configure Custom Listener Using TOCF (EE) in Jboss
Emmanuel Uchenna Chukwu
No ratings yet
Barbara Metcalf - Living Hadith in Jemaat Tabligh
Document26 pages
Barbara Metcalf - Living Hadith in Jemaat Tabligh
Ilham
No ratings yet
Lexical Morphology
Document13 pages
Lexical Morphology
Fatima Mirza
No ratings yet
Ciceri Oviedo - Oscar Orlando - GrammarW 1 - Level 4
Document5 pages
Ciceri Oviedo - Oscar Orlando - GrammarW 1 - Level 4
OSCAR ORLANDO CICERY OVIEDO
No ratings yet
Script
Document79 pages
Script
Muhammad Dhiyaa Islami
No ratings yet
Task 1: Pengandaian Diikuti Saran
Document4 pages
Task 1: Pengandaian Diikuti Saran
cewe moody
No ratings yet
Lesson 1: Creating A Topic and Framing The Research Problem
Document13 pages
Lesson 1: Creating A Topic and Framing The Research Problem
maggie smith
No ratings yet
Ballroom Dance
Document41 pages
Ballroom Dance
Jack
No ratings yet
Client Log
Document7 pages
Client Log
Alexander Morante
No ratings yet
Enthought MATLAB To Python White Paper
Document52 pages
Enthought MATLAB To Python White Paper
Weijie Chen
50% (2)
2 Bim L A N 10 Ingles
Document29 pages
2 Bim L A N 10 Ingles
Alejandro Olea
No ratings yet
Nadia Lesson Plan Day 2
Document2 pages
Nadia Lesson Plan Day 2
api-305524125
No ratings yet
Lesson 4:: Kicking It Off
Document9 pages
Lesson 4:: Kicking It Off
Kevin Blasurca
No ratings yet
The Legend of Maria Makiling
Document4 pages
The Legend of Maria Makiling
Rxle
No ratings yet
CPP Full
Document120 pages
CPP Full
Vibhor Kaushik
No ratings yet
$$ - The Nature of Language by Three Muslim Thinkers' Perspective
Document13 pages
$$ - The Nature of Language by Three Muslim Thinkers' Perspective
Muhammad Gaffar
No ratings yet
Om Sthitiayeh Namah - : Year# 1 Issue No. 52
Document11 pages
Om Sthitiayeh Namah - : Year# 1 Issue No. 52
Ritesh Tilve
No ratings yet
Ai For Speech Recognition
Document24 pages
Ai For Speech Recognition
shaikshaa007
100% (4)
VM's vs. Containers
Document7 pages
VM's vs. Containers
Nas Siri
No ratings yet
Should Writers Use They Own English
Document10 pages
Should Writers Use They Own English
Yira Melissa CASTILLO RAMOS
No ratings yet
Makalah Ikhtisan Sebagai Sumber Hukum Islam
Document21 pages
Makalah Ikhtisan Sebagai Sumber Hukum Islam
AdiAriandi
No ratings yet