Attacks & Threats
Cookie Poisoning
Definition
An attack that modifies the contents of HTTP cookies before they are sent back to a web application, in order to alter trust, identity, or business logic decisions.
Examples
- A user edits a cookie role=user to role=admin and gains access to administrative pages because the server doesn't verify integrity.
- An e-commerce site stores price in a cookie; an attacker changes it before checkout to pay one cent for an item.
Related terms
Cookie Hijacking
Theft and reuse of a user's HTTP cookies — typically session or authentication cookies — to impersonate that user against a web application.
Session Hijacking
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.
Parameter Tampering
An attack in which an adversary modifies parameters in HTTP requests, cookies, or hidden form fields to manipulate application behaviour.
Broken Access Control
A class of vulnerabilities where authorization rules are missing or incorrectly enforced, letting users perform actions or reach data outside their privileges.
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
Session Management
Session Management — definition coming soon.