Security Testing 简明教程

Security Testing - Cookies

What is a Cookie?

Cookie 是 Web 服务器发送的小段信息,存储在 Web 浏览器中以便浏览器以后读取。通过这种方式,浏览器会记住一些特定个人信息。如果黑客掌握了 Cookie 信息,则可能导致安全问题。

A cookie is a small piece of information sent by a web server to store on a web browser so that it can later be read by the browser. This way, the browser remembers some specific personal information. If a Hacker gets hold of the cookie information, it can lead to security issues.

Properties of Cookies

以下是一些 Cookie 的重要属性:

Here are some important properties of cookies −

  1. They are usually small text files, given ID tags that are stored on your computer’s browser directory.

  2. They are used by web developers to help users navigate their websites efficiently and perform certain functions.

  3. When the user browses the same website again, the data stored in the cookie is sent back to the web server to notify the website of the user’s previous activities.

  4. Cookies are unavoidable for websites that have huge databases, need logins, have customizable themes.

Cookie Contents

Cookie 包含以下信息:

The cookie contains the following information −

  1. The name of the server the cookie was sent from.

  2. The lifetime of the cookie.

  3. A value - usually a randomly generated unique number.

Types of Cookies

  1. Session Cookies − These cookies are temporary which are erased when the user closes the browser. Even if the user logs in again, a new cookie for that session is created.

  2. Persistent cookies − These cookies remain on the hard disk drive unless user wipes them off or they expire. The Cookie’s expiry is dependent on how long they can last.

Testing Cookies

Here are the ways to test the cookies −

  1. Disabling Cookies − As a tester, we need to verify the access of the website after disabling cookies and to check if the pages are working properly. Navigating to all the pages of the website and watch for app crashes. It is also required to inform the user that cookies are required to use the site.

  2. Corrupting Cookies − Another testing to be performed is by corrupting the cookies. In order to do the same, one has to find the location of the site’s cookie and manually edit it with fake / invalid data which can be used access internal information from the domain which in turn can then be used to hack the site.

  3. Removing Cookies − Remove all the cookies for the website and check how the website reacts to it.

  4. Cross-Browser Compatibility − It is also important to check that cookies are being written properly on all supported browsers from any page that writes cookies.

  5. Editing Cookies − If the application uses cookies to store login information then as a tester we should try changing the user in the cookie or address bar to another valid user. Editing the cookie should not let you log in to a different users account.

Viewing and Editing Cookies

现代浏览器支持在浏览器本身内查看/编辑 cookie 信息。此处有 Mozilla/Chrome 使用的插件,我们可以使用它们成功执行编辑。

Modern browsers support viewing/editing of the cookies inform within the Browser itself. There are plugins for mozilla/chrome using which we are able to perform the edit successfully.

  1. Edit cookies plugin for Firefox

  2. Edit This cookie plugin for chrome

编辑 cookie 的步骤如下 −

The steps should be performed to Edit a cookie −

  1. Download the plugin for Chrome from here

  2. Edit the cookie value just by accessing the 'edit this cookie' plugin from chrome as shown below.

cookie Testing