How to Detect and Prevent Cookie Stealing
What is cookie?
A cookie (also tracking cookie, browser cookie, and HTTP cookie)
is a small piece of text stored on a user's computer by a web
browser. A cookie consists of one or more name-value pairs
containing bits of information.
The cookie could be used for authentication, session tracking
(state maintenance), storing site preferences, shopping cart
contents, the identifier for a server-based session, or anything
else that can be accomplished through storing textual data.
Cookie Stealing and the damage
Cookie Stealing means the attackers gain the cookie of a user
without authorization. The following sensitive message will be
disclosure when cookie was stealed because the records of the
visited website were saved in Cookie.
of visited website
of server background
of BBS user
of website administrator
of Game user
of online bank account
The method of Cookie Stealing
There are two methods to transfer cookie, at present, script
automatically transfer and email. According to incomplete
statistics, more than 90 percent of cookie stealing is
transmitted via script automatically transfer which will
transfer the cookie to the indicated position. The
“+document.cookie” is included in the code when transmitted via
script automatically transfer.
How to Detect Cookie Stealing with Sax2
1) Run Sax2 and start detection.
2) Sax2 will detect the event of HTTP_Suspected cookie stealing
if there is cookie stealing action in network. See figure 1.
(Figure 1 Sax2 real-time alarm when encountered Cookie Stealing)
From the above figure, Sax2 detect there is host (IP:
192.168.1.100) transferring its cookie information to the
internet address 61.xx.xxx.3. In the “Original Communication”
tab, the code “+document.cookie” included in the original
How to Prevent Cookie Stealing
1. The easiest way to prevent someone from stealing your cookies
is to watch the links you click. Check the URL address of the
website it is trying to take you to. If you don't know it, don't
trust it. A good thing to look for is the structure of the URL.
The cookie stealing scenarios will be run from a free sub
domain. To hide the link they will try to make it look like the
web address of the site that they are putting the malicious link
on. So say you came across a cookie stealer on Myspace. They
will most likely form a sub domain that looks something like
this. Www.myspace.freehost.com. At a glance you will just see
the Myspace and think everything's good. It is very important
that you watch for things like this.
2. The only real method that you need to follow other than the
one above is too clear your cookies after every session. If a
Trojan at any point somehow infects you then you most likely
have some kind of backdoor on your computer that you don't even
understand. This is a free pass for hackers to welcome
themselves in. All they need to do once there in copy all the
files in your cookie folder to their computer and start
cracking. Nevertheless, if you make it a habit to delete these
cookies at the close of every session then there is nothing for
the hacker to steal (as far as cookies go, that is).