Cookie defense
As we discussed in earlier chapters, cookie hijacking is a technique where an attacker steals session cookies. Cookie hijacking can be defeated if your website is running SSL/TLS 3.0. Many attackers will bypass SSL/TLS by using a combination of man-in-the-middle or SSL strip attacks; however, by ensuring your web application only has secure pages, meaning not providing a HTTP to HTTPS redirection, will mitigate those forms of attack.
Tip
Cookie hijacking can work over SSL/TLS connections if attackers use cross-site scripting to send cookies to their servers. Developers can mitigate this risk by setting the Secure and HttpOnly flags on the cookies.
A common mistake regarding web application security is assuming developers secure the ...
Get Web Penetration Testing with Kali Linux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
