Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
75 views16 pages

013 HTTP Statelessness Cookie

This document provides an overview of web application pentesting and cookies. It introduces Vivek Ramachandran as an instructor for security courses and certifications. It then discusses how HTTP is stateless, and how cookies allow servers to store and retrieve data from clients to maintain session state. The document outlines the key information contained in cookies like name-value pairs, expiration dates, domains, paths, and security flags.

Uploaded by

lạc hoa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
75 views16 pages

013 HTTP Statelessness Cookie

This document provides an overview of web application pentesting and cookies. It introduces Vivek Ramachandran as an instructor for security courses and certifications. It then discusses how HTTP is stateless, and how cookies allow servers to store and retrieve data from clients to maintain session state. The document outlines the key information contained in cookies like name-value pairs, expiration dates, domains, paths, and security flags.

Uploaded by

lạc hoa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Web

 Applica+on  Pentes+ng  

Vivek  Ramachandran  
SWSE,  SMFE,  SPSE,  SISE,  SLAE,  SGDE  Course  Instructor  

Cer+fica+ons:                          hGp://www.securitytube-­‐training.com    
 
Pentester  Academy:    hGp://www.PentesterAcademy.com    

©SecurityTube.net  
HTTP  Statelessness  and  Cookies  

©SecurityTube.net  
HTTP  is  Stateless  

•  Every  request  is  treated  independently  

•  Server  does  not  retain  state  for  clients  

•  What  does  this  mean?  


–  Every  request  needs  to  be  separately  
authen+cated  
–  Every  request  MUST  carry  auth  informa+on  

©SecurityTube.net  
Cookies  

•  Allows  server  to  store  and  retrieve  data  from  the  client  

•  Typically  stored  in  a  file  on  the  client  side  

•  Text  only;  No  executable  code  

•  Cannot  exceed  4K  in  size  

•  Allows  for  retaining  state  with  the  Client’s  help  


–  Session  Management  
–  User  Preferences  

©SecurityTube.net  
How  does  a  Cookie  look?  

©SecurityTube.net  
How  is  a  Cookie  set  by  the  Server?  

©SecurityTube.net  
How  is  a  Cookie  sent  by  the  Client?  

©SecurityTube.net  
What  Informa+on  is  allowed  in  it?  
Server  

hGp://msdn.microsoZ.com/en-­‐us/library/windows/desktop/aa384321(v=vs.85).aspx    

Client  

©SecurityTube.net  
Cookie:    Name=Value  Pairs  
Server  

•  E.g.  sessionID=ahj23hkhe32fd23j232ll2323ljk  
•  Mul+ple  separated  by  ;  
–  E.g.    Name=vivek;  Age=12;  Country=India  

©SecurityTube.net  
Cookie:    expires  
Server  

•  Session  Cookie  if  “expires”  not  men+oned  


•  Format:    
–  DAY,  DD-­‐MMM-­‐YYYY  HH:MM:SS  GMT  
–  Mon,  22-­‐Nov-­‐2013  22:45:00  GMT  
•  Max-­‐Age  parameter  in  newer  RFC  6265  
–  Interval  in  seconds  aZer  receiving  the  cookie  

©SecurityTube.net  
Cookie:    domain  
Server  

•  Domain  for  which  it  is  valid  


•  E.g.  
–  docs.securitytube.net  
–  .images.securitytube.net  

©SecurityTube.net  
Cookie:    path  
Server  

•  Path  for  which  it  is  valid  


•  E.g.  
–  Sid1=asd;  Path=/;      
–  Sid2=xyz;  Path=/blog;  

©SecurityTube.net  
Cookie:    secure  
Server  

•  Only  sent  over  HTTPS  

©SecurityTube.net  
Cookie:    hGponly  
Server  

•  Cannot  be  accessed  by  Client  side  scripts  


directly  
•  Cannot  be  scripted  using  Javascript  
•  XSS  mi+ga+on  mechanism  

©SecurityTube.net  
Pentester  Academy  

©SecurityTube.net  
TwiGer  and  Facebook  

©SecurityTube.net  

You might also like