Cookie Poisoning
What is Cookie Poisoning?
Cookie PoisoningAn attack that modifies the contents of HTTP cookies before they are sent back to a web application, in order to alter trust, identity, or business logic decisions.
Cookie poisoning targets cookies that carry application state — user IDs, roles, prices, feature flags, or signed tokens — and tampers with them client-side. If the server trusts the cookie without proper integrity checks, the attacker can escalate privileges, change a cart total, switch tenant, or bypass authorization. Attackers tamper directly in their own browser, via XSS or via MitM on insecure links. Defences are to never store sensitive state client-side without integrity: sign or encrypt cookies (HMAC, JWT with strong signing, server-side sessions), validate every value server-side, set Secure / HttpOnly / SameSite, and enforce TLS to prevent in-flight tampering. Treat all cookie values as untrusted user input.
● Examples
- 01
A user edits a cookie role=user to role=admin and gains access to administrative pages because the server doesn't verify integrity.
- 02
An e-commerce site stores price in a cookie; an attacker changes it before checkout to pay one cent for an item.
● Frequently asked questions
What is Cookie Poisoning?
An attack that modifies the contents of HTTP cookies before they are sent back to a web application, in order to alter trust, identity, or business logic decisions. It belongs to the Attacks & Threats category of cybersecurity.
What does Cookie Poisoning mean?
An attack that modifies the contents of HTTP cookies before they are sent back to a web application, in order to alter trust, identity, or business logic decisions.
How do you defend against Cookie Poisoning?
Defences for Cookie Poisoning typically combine technical controls and operational practices, as detailed in the full definition above.