Cookie poisoning—also known as session hijacking—is an attack strategy in which the attacker alters, forges, hijacks, or otherwise "poisons" an otherwise valid cookie sent back to a server to steal data, bypass security, or both.
Attackers can intercept cookies before they return to the server to extract information from or modify them. Forged cookies can also be created from scratch as a means of impersonating a user to access additional user data. Cookie poisoning is thus a misnomer in that it is often used to refer not only to modified (“poisoned”) cookies but to a variety of methods for stealing data from valid cookies or other malicious use of them.
Cookies are often used for authentication and to track whether a user is logged in to an account, which means they contain information that can be used for unauthorized access. They can also contain other sensitive data, including financial information, entered by a user. Cookie poisoning is relatively easy for attackers, who can use a poisoned cookie to steal user identities for fraud or to gain unauthorized access to the web server for further exploits.
Cookies (or other session tokens) not generated or transmitted securely are vulnerable to hijacking or poisoning. Cross-site scripting (XSS) is a common way to steal cookies, but a number of methods, including packet sniffing and brute force, may be used to gain unauthorized access to cookies. And because cookie poisoning is a catch-all term for numerous malicious activities involving cookies, a cookie poisoning exploit might also be accurately described as a man-in-the-middle attack or session hijacking, fixation, or forgery, among other terms.
While thoughtful app development can limit the sensitive data stored in cookies or make it harder for attackers to extract, a cookie’s purpose is to identify users, behaviors, or both. That means applications will continue to use them. Appropriate web application security and session management, which may be provided by a web application firewall (WAF), can help protect identifying data and defend against cookie poisoning.
The F5 Advanced WAF uses full-proxy data inspection, behavior analytics, and machine learning to provide high-level application security, including sophisticated session management and SSL/TLS cookie encryption. By intercepting all traffic to and from the web server, it can decrypt that traffic and compare it against information sent by the server to prevent altered cookies from reaching the server or an application.