Table of Contents
This guide explains what cookie tossing means, how malicious cookies can affect sessions, a simple example, and prevention methods for developers and security teams.
What is Cookie Tossing?
Cookie tossing is a cyberattack technique that exploits vulnerabilities in the way cookies work within a domain and its subdomains and how web browsers handle them.
It involves abusing cookie scope, domain attributes, or subdomain control to introduce a cookie that competes with a legitimate application cookie. This page explains the concept for awareness and defense, not for misuse.
HTTP Cookies Basics
Cookies are small pieces of data stored on a user’s device by websites they visit. They are primarily used to remember user preferences, track their activity, and enhance their browsing experience. Cookies are created by web servers and sent to the user’s browser, where they are stored and sent back to the server each time the browser requests a page from that server.
There are two main types of cookies which are session cookies and persistent cookies. This guide refers to session cookies.
How Cookie Tossing Works?
Here is a breakdown of a typical cookie tossing attack:
1. Subdomain Control
The attacker needs control over a subdomain of the target website. This could be achieved through various means, like exploiting a vulnerability or having a legitimate subdomain.
2. Cookie Manipulation
The attacker sets a malicious cookie on the subdomain with the same name and path as a legitimate cookie used by the website.
3. Browser Deception
When a user visits the main website, their browser sends both the legitimate and attacker’s cookies.
4. Exploitation
Depending on the security measures of the website, the attacker’s cookie may be used instead of the legitimate cookie, allowing the attacker to exploit this situation for various purposes, such as session hijacking, data exfiltration, and CSRF attacks.
Cookie Tossing vs Session Fixation
Cookie tossing and session fixation both involve unsafe session handling, but they are not identical. Cookie tossing focuses on how a cookie from a subdomain or related scope may be sent to another application, while session fixation focuses on forcing or reusing a known session identifier.
Both risks can be reduced with strict cookie attributes, secure session rotation, strong subdomain control, and careful validation of which cookie the server accepts. Related web risks include XSS attacks, input validation attacks, and unsafe session-management design.
Example
Imagine that a malicious subdomain ‘attacker.example.com‘ sets a cookie named ‘session_id‘ with a spoofed value resembling a legitimate session ID. When you visit ‘example.com‘, your browser sends both the legitimate ‘session_id‘ cookie from the main domain and the attacker’s cookie. If the website doesn’t properly validate cookie origin, the attacker’s cookie might be used, potentially allowing them to hijack your session.
Target Website: example.com (main website)
Attacker-Controlled Subdomain: attacker.example.com
Attack Steps:
1. The attacker sets a cookie named ‘session_id‘ on ‘attacker.example.com‘ with a forged value resembling a legitimate session ID.
2. The user visits ‘example.com‘. Their browser sends all cookies, including the malicious ‘session_id‘ from ‘attacker.example.com‘.
3. If the website’s security is weak, it might mistake the attacker’s cookie for a valid one, potentially granting unauthorized access to the user’s account.
Prevention Methods
Several measures can help prevent cookie tossing attacks and reduce session-management risk:
• Secure Subdomains
Implement robust security measures to prevent unauthorized access to subdomains.
• Patch Vulnerabilities
Regularly patch vulnerabilities in website software to prevent XSS attacks.
• Secure Cookie Attributes
Website owners should implement proper cookie security measures, such as using the ‘HttpOnly‘ and ‘Secure‘ flags, and restricting cookie access to only the necessary subdomains.
Key Takeaways
- Cookie tossing is mainly a cookie scope and session-handling problem.
- Secure subdomain governance is as important as secure application code.
- Use restrictive cookie attributes, session rotation, and strong validation to reduce risk.
- Review related topics such as Bobby Tables and SQL injection and input validation attacks.