y.z.com; secure
JavaScript and VBScript are inaccurately considered extensions of the server code, so
these scripting languages can read and write cookies by accessing the document.cookie
variable, unless the cookie has the HttpOnly attribute set and the user is running IE. This
is of great interest to hackers, because cookies generally contain authentication credentials,
CSRF protection information, and other confidential information. Also, Man-in-the-
Middle (MitM) attacks can edit JavaScript over HTTP.
If an attacker can break or circumvent the same origin policy, the cookies can be
easily read via the DOM with the document.cookie variable. Writing new cookies is
easy, too: simply concatenate to document.cookie with this string format:
var cookieDate = new Date ( 2030, 12, 31 );
document.cookie += "CookieName=CookieValue;" +
/* All lines below are optional. */
"domain=.y.z.com;" +
"path=/a;" +
"expires=" + cookieDate.toGMTString() + ";" +
"secure;" +
"HttpOnly;"
Problems with Setting and Parsing Cookies
Popularity: 2
Simplicity: 4
Impact: 6
Risk Rating: 5
Cookies are used by JavaScript, web browsers, web servers, load balancers, and other
independent systems.
Pages:
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96