Geeks With Blogs
Blog Moved to Blog Moved to
In previous posts, I talked about other security issues such as Cross Site Scripting (XSS), SQL Injection and other validation controls available to you for writing secure applications.  Today is no different as we are talking about understanding and detetcing cookie tampering.
What Is Cookie Tampering?
Cookies can be manipulated quite easily as they are plain text files on your local machine.  For example, say you have an application that stores your favorite color in a cookie.  Once that data has been saved to your local machine, it is placed in your Temporary Internet Files directory.  Each cookie may be viewed and modified in that folder by using something as simple as notepad.  For the above example, let's change our favorite color cookie from red to blue.  This requires nothing more than opening the proper cookie, changing the text from RED to BLUE, saving the cookie and closing the viewer.
The basic view of cookies should be that they are untrusted user data, as they can be changed by an attacker.  One should be very wary of storing permanent secure data in cookies.  We need a way of verifying that this data has not in fact been tampered with in some form.  Below I will show you what I did to change the value.
The before cookie from my Cookie:username@localhost looks like this:
Let's change it to look like this:
We view the cookie value by using the following:
From then on, we should see the value of the cookie being display to be Blue instead of Red.  It's never really a good idea to just return back the value of the cookie without some sort of verification process.  Let's move forward into ways to detect.
How Do We Detect Cookie Tampering?
We need a way to detect if a cookie is tampered with.  The easiest way is to use cryptographic hashing.  We could use a SHA1 algorithm and a secret phrase to detect any changes made to our cookies.  The attacker cannot decrypt our information because he does not know the secret.  Let's look further into how to do this.
Channel 9 on the MSDN has a lab about Cookies which I will reference here for a minute.  The lab is available here:
From the after code that is supplied from that link, we can see that they use a static class called TamperDetector. 
This class provides the following methods:
  • AddTamperDetection - which allows the user to add the generated hashed key to the cookie value we are setting. 
  • CheckAndRemoveTamperDetection - which allows the user to remove the generated hashed key from the cookie value.  It will also validate whether the data has been modified and will throw a DataTamperingException if that is true.
  • GenerateRandomKey - generates a random key to be put into the web.config which contains the secret.
 There are other ways about tamper proofing your cookies.  Two useful articles can be found on about cookie tampering.
Other Articles
Encrypting Cookies to prevent tampering is the first article off which goes into encrypting the cookies in your application.  This works out of the box for ASP.NET 1.1 applications only and has been replaced for ASP.NET 2.0
HttpSecureCookie, A Way to Encrypt Cookies in ASP.NET 2.0 uses an internal class to ASP.NET 2.0 to do secure cookies. 
Overall, there are multiple ways to creating more secure cookies for your application.  It's still a best practice not to include any mission critical data in your cookies, but, should the need arise, there are ways of protecting that data.
Posted on Tuesday, May 30, 2006 11:47 AM .NET , ASP.NET | Back to top

Comments on this post: .NET Security - Understanding and Detecting Cooke Tampering

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Matthew Podwysocki | Powered by: