Back to glossary

Cookie Poisoning

An attack where the attacker modifies the contents of a cookie to bypass security controls or steal information.

Categorysecurity

Overview

Cookie poisoning involves the unauthorized modification of cookie data. Because cookies are stored on the user's device, an attacker can easily view and edit them if they are not properly protected.

Examples

  • Privilege Escalation: Changing a cookie value like isAdmin=false to isAdmin=true.
  • Data Theft: Modifying a user ID in a cookie to view another user's profile.

Prevention

  • Encryption: Encrypting the contents of the cookie so it cannot be read or modified by the user.
  • Digital Signatures: Signing the cookie to detect if it has been tampered with.
  • Server-Side Sessions: Storing sensitive data on the server and only keeping a random session ID in the cookie.

Related Terms

Session Hijacking