Security Testing - Cookies


What is a Cookie?

A cookie is a small piece of information sent by a web server to store on a web browser so that it can later be read by the browser. This way, the browser remembers some specific personal information. If a Hacker gets hold of the cookie information, it can lead to security issues.

Properties of Cookies

Here are some important properties of cookies −

  • They are usually small text files, given ID tags that are stored on your computer's browser directory.

  • They are used by web developers to help users navigate their websites efficiently and perform certain functions.

  • When the user browses the same website again, the data stored in the cookie is sent back to the web server to notify the website of the user’s previous activities.

  • Cookies are unavoidable for websites that have huge databases, need logins, have customizable themes.

Cookie Contents

The cookie contains the following information −

  • The name of the server the cookie was sent from.
  • The lifetime of the cookie.
  • A value - usually a randomly generated unique number.

Types of Cookies

  • Session Cookies − These cookies are temporary which are erased when the user closes the browser. Even if the user logs in again, a new cookie for that session is created.

  • Persistent cookies − These cookies remain on the hard disk drive unless user wipes them off or they expire. The Cookie's expiry is dependent on how long they can last.

Testing Cookies

Here are the ways to test the cookies −

  • Disabling Cookies − As a tester, we need to verify the access of the website after disabling cookies and to check if the pages are working properly. Navigating to all the pages of the website and watch for app crashes. It is also required to inform the user that cookies are required to use the site.

  • Corrupting Cookies − Another testing to be performed is by corrupting the cookies. In order to do the same, one has to find the location of the site's cookie and manually edit it with fake / invalid data which can be used access internal information from the domain which in turn can then be used to hack the site.

  • Removing Cookies − Remove all the cookies for the website and check how the website reacts to it.

  • Cross-Browser Compatibility − It is also important to check that cookies are being written properly on all supported browsers from any page that writes cookies.

  • Editing Cookies − If the application uses cookies to store login information then as a tester we should try changing the user in the cookie or address bar to another valid user. Editing the cookie should not let you log in to a different users account.

Viewing and Editing Cookies

Modern browsers support viewing/editing of the cookies inform within the Browser itself. There are plugins for mozilla/chrome using which we are able to perform the edit successfully.

  • Edit cookies plugin for Firefox

  • Edit This cookie plugin for chrome

The steps should be performed to Edit a cookie −

  • Download the plugin for Chrome from here

  • Edit the cookie value just by accessing the 'edit this cookie' plugin from chrome as shown below.

Cookie Testing