Cookie Tossing

What is Cookie Tossing?

The purpose of this guide is to explain what cookie tossing is, how it works, provide an example demonstrating the attack, and outline preventive measures to mitigate its risks in cybersecurity.

Cookie tossing is a cyberattack technique that exploits vulnerabilities in the way cookies work within a domain and its subdomains and how web browsers handle them.

It involves using a subdomain or a vulnerability in a subdomain to inject malicious cookies that can be used to hijack user sessions, steal data, or perform other harmful actions.

HTTP Cookies Basics

Cookies are small pieces of data stored on a user’s device by websites they visit. They are primarily used to remember user preferences, track their activity, and enhance their browsing experience. Cookies are created by web servers and sent to the user’s browser, where they are stored and sent back to the server each time the browser requests a page from that server.

There are two main types of cookies which are session cookies and persistent cookies. This guide refers to session cookies.

Here is a breakdown of a typical cookie tossing attack:

1. Subdomain Control

The attacker needs control over a subdomain of the target website. This could be achieved through various means, like exploiting a vulnerability or having a legitimate subdomain.

The attacker sets a malicious cookie on the subdomain with the same name and path as a legitimate cookie used by the website.

3. Browser Deception

When a user visits the main website, their browser sends both the legitimate and attacker’s cookies.

4. Exploitation

Depending on the security measures of the website, the attacker’s cookie may be used instead of the legitimate cookie, allowing the attacker to exploit this situation for various purposes, such as session hijacking, data exfiltration, and CSRF attacks.


Imagine that a malicious subdomain ‘‘ sets a cookie named ‘session_id‘ with a spoofed value resembling a legitimate session ID. When you visit ‘‘, your browser sends both the legitimate ‘session_id‘ cookie from the main domain and the attacker’s cookie. If the website doesn’t properly validate cookie origin, the attacker’s cookie might be used, potentially allowing them to hijack your session.

Target Website: (main website)

Attacker-Controlled Subdomain:

Attack Steps:

1. The attacker sets a cookie named ‘session_id‘ on ‘‘ with a forged value resembling a legitimate session ID.

2. The user visits ‘‘. Their browser sends all cookies, including the malicious ‘session_id‘ from ‘‘.

3. If the website’s security is weak, it might mistake the attacker’s cookie for a valid one, potentially granting unauthorized access to the user’s account.

Prevention Methods

Several measures can help prevent cookie tossing attacks:

• Secure Subdomains

Implement robust security measures to prevent unauthorized access to subdomains.

• Patch Vulnerabilities

Regularly patch vulnerabilities in website software to prevent XSS attacks.

Website owners should implement proper cookie security measures, such as using the ‘HttpOnly‘ and ‘Secure‘ flags, and restricting cookie access to only the necessary subdomains.

Like this Post? Please Share & Help Others: