Working with Cookiees

Working with Cookie using Javascript (document.cookie);

1: Creating Cookie

1.1 Creating in-memory cookie

document.cookie = “Username= FirstName LastName”;  // In-memory cookiee var x = document.cookie; alert(x);  // Username=”FirstName LastName” document.cookie = "Key1=Value1"; document.cookie = "Key2=Value2"; alert(document.cookie); // displays: Key1=Value1;Key2=Value2; Note: If Keys are same then values overwrites; Cookies predefined Keys in Cookie Expires : The date the cookie will expire. If this is blank, the cookie will expire when the visitor quits the browser. Domain : The domain name of your site. Path : The path to the directory or web page that set the cookie. This may be blank if you want to retrieve the cookie from any directory or page. Secure : If this field contains the word "secure" then the cookie may only be retrieved with a secure server. If this field is blank, no such restriction exists. Name=Value : Cookies are set and retrieved in the form of key and value pairs. Note; These parameters(their values) are seprated by semi-colon (;);

1.2 Creating Persistent Cookiee

document.cookie="username=John Doe; expires=Thu, 18 Dec 2013 12:00:00 GMT";    alert(x.UserName);

1.3 Creating Persistent cookie with Path (i.e., which folder pages can access this cookie)

document.cookie="username=John Doe; expires=Thu, 18 Dec 2013 12:00:00 GMT; path=/"; Note: With a path parameter, you can tell the browser what path the cookie belongs to. By default, the cookie belongs to the current page.

1.4. Modifying Cookie (create new cookies with existing keys and new values);

document.cookie="username=John Smith; expires=Thu, 18 Dec 2013 12:00:00 GMT; path=/";

1.5.Deleting Cookie

Deleting a cookie is very simple. Just set the expires parameter to a passed date: document.cookie = "username=; expires=Thu, 01 Jan 1970 00:00:00 GMT";

1.6.Cookie Location

C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies If Security Configuration to Low : %AppData%\Microsoft\Windows\Cookies\Low    At most one file is would be created on behalf of each Domain; It contains all values in the form of Key-Value pair. UserName@www.w3schools[2]

1.7: An approach: setCookie and getCookie data

function setCookie(cname,cvalue,exdays) { var d = new Date(); d.setTime(d.getTime()+(exdays*24*60*60*1000)); var expires = "expires="+d.toGMTString(); document.cookie = cname + "=" + cvalue + "; " + expires; } function getCookie(cname) { var name = cname + "="; var ca = document.cookie.split(';'); for(var i=0; i   {   var c = ca[i].trim();   if (c.indexOf(name)==0) return c.substring(name.length,c.length);   } return ""; } Calling Methods function checkCookie() { var user=getCookie("username"); if (user!="")  {  alert("Welcome again " + user);  } else  {  user = prompt("Please enter your name:","");      if (user!="" && user!=null)     {     setCookie("username",user,30);     }   } }

1.8: Iterating through each Items stored in Cookiee

document.cookie = 'Key1=Value1,Key2=Value2';  //Dont use '&' and ';' chars for multi-valued cookiees. var cookieArray = document.cookie.split(','); A) Paired items reading var x1 = cookieArray[0];  //Key1=Value1 var y1 = cookieArray[1];  //Key2=Value2 B) Keys only reading var k1 = cookieArray[0].split('=')[0]; //Key1 var k2 = cookieArray[1].split('=')[0]; //Key2 C) Values only reading var v1 = cookieArray[0].split('=')[1]; //Value1 var v2 = cookieArray[1].split('=')[0]; //Value2

Attacks on  Cookies

1)      XSS attacks

a.       Domain Name validations

b.      Sub-Domain Name validations

1)      Cookie Positioning  (Protecting cookies over wire)

2)      Cookie confidentiality (Cookie data encryption)

Recommended References:

http://en.wikipedia.org/wiki/HTTP_cookie

http://blog.cenzic.com/2009/08/insecure-cookie-handling-vulnerability-part-1/

http://blog.cenzic.com/2009/08/common-insecure-cookie-attacks-cross-site-request-forgery/

http://www.12robots.com/index.cfm/2009/1/14/More-Cookies--Domain-and-Path-Attributes--Security-Series-122

http://www.12robots.com/index.cfm/2009/1/14/More-Cookies--Domain-and-Path-Attributes--Security-Series-122

https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

Nag-references:
http://www.webdeveloper.com/forum/showthread.php?261054-javascript-validation-amp-cookie

http://tools.ietf.org/html/draft-pettersen-dns-cookie-validate-05

Nag-Rcommended References

http://www.thesitewizard.com/javascripts/cookies.shtml

http://stackoverflow.com/questions/2959010/how-to-get-the-domain-value-for-a-cookie-in-javascript

http://www.w3resource.com/javascript/cookies/introduction-cookies.php

http://www.brenz.net/cookies/test_cookie.asp?fail

References:
http://www.w3schools.com/js/js_cookies.asp

http://en.wikipedia.org/wiki/Session_fixation

http://sage.math.washington.edu/home/wstein/www/home/agc/lit/javascript/xss.html
http://www.brenz.net/cookies/test_cookie.asp?fail
http://stackoverflow.com/questions/14149542/javascript-cookies-setting-multiple-cookies
http://www.jsmadeeasy.com/javascripts/Forms/Validation%20%28Cookie%29/index.htm
http://www.securiteam.com/securityreviews/5EP0L2KHFG.html
http://www.cse.wustl.edu/~jain/cse571-07/ftp/xsscript/
http://searchsoftwarequality.techtarget.com/answer/Cookie-poisoning-prevention-in-ASPNET
http://www.chacha.com/question/what-type-of-attack-can-be-prevented-by-validating-cookies-and-query-strings
https://www.acunetix.com/websitesecurity/cross-site-scripting/
http://support.microsoft.com/kb/252985
http://searchsoftwarequality.techtarget.com/answer/Cookie-poisoning-prevention-in-ASPNET