Problem
Stop users tampering with cookies
One of the easiest “hacks” that is possible on web sites is to change the contents of cookies to gain unauthorized access to sensitive areas of the application (e.g. administration areas).
Example - illustrating the problem of cookie tampering
By way of example to demonstrate why users potentially wish to alter cookies, let's say we have an ASP.Net web site called www.my-secure-application.com that requires all users to log in. Let's also assume that the web site uses simple cookies to protect various areas of the website.
A malicious user wishes to “hack” the site to gain access to the administration functions of the site.
The user signs up for a “standard” account on the site and logs in with their userID (e.g. “AceHacker”). By inspecting the cookies on their computer, the hacker is able to see a cookie called “Login”. Inside this cookie is some text that reads “AceHacker”.
The hacker guesses that the web site administrator has a userID of “Admin”. The hacker changes the content of cookie on their machine to “Admin” and is now able to log in to the website as “Administrator”. The hacker is now able to access all areas usually restricted to Administrators.
Solution
Our product protects cookies from user tampering. Cookies that are secured using our product contain a special signature. This signature is checked every time a cookie is received by a web site / application. If the signature does not match, an exception is raised by our component giving you, the application developer, an opportunity to respond to a potential hack attempt.
In our example above, an appropriate response to a tamper exception might be to suspend the users account while at the same time, logging the IP address and notifying the web master to a possible intrusion attempt.