Top 5 Security Issue with COOKIES

Shakhawat Hossain - 0xShakhawat
2 min readAug 7, 2022
What are cookies?

What are Cookies?

Cookies are text files with small pieces of data like username and password that are used to identity your computer as you use a computer network.

Top 5 Security Issue with COOKIES
reader’s digest

Types of Cookies

(1) Session cookies:

If you visit website requiring a password, session cookies are what allows you to hop from page to page without needing to log in every time.

(2) Persistent cookies:

persistent cookies are used to update your preferences when you visit a website. They’re used to analyze a user’s browsing habits.

(3) Flash Cookies:

Similar to persistent cookies, except they’re stored as Adobe Flash files instead if text files, these contain the same data and work just like other cookies.

Five Security Issue with cookies:

1. Cross-Site Request Forgery Attack (CSRF)

It is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated.

CSRF attacks exploit the trust Web application has an authenticated user.

2. Session Fixation

If a website allows session IDs in the query parameters, an attacker can include a specific session ID in the URL.

If they send that URL to a user and the user logs into the website using their legitimate credentials, the attacker can then take over that session & gain access to the user’s account.

3. Cross-Site Scripting (XSS)

The attacker writes malicious code and posts it to a trusted website. When the user visits the website, their browser is loads the content.

It executes all the scripts and grants access to any session tokens, cookies, or other sensitive information including login details.

4. Cookie Tossing Attack

Attackers create a fake subdomain cookie for a website and send it to a user. When the user visits that website.

It’ll pull the attacker’s fake cookie. then attacker will be able to take over the session and gain access to the user’s account.

5. Cookie Capturing

If a cookie is being used for authentication purposes should always be sent via secure SSL/TLS channels.

If a website allows for cookies to be sent using cleartext, an attacker could potentially eavesdrop on network traffic to capture the unsecured cookie.


Cookies have made a significant contribution to making the web stateful, but they also add to the attack surface.

They can be used by hackers to gain control of privileged functionalities, perform SQL injections, session hijacking, and account takeover.

Share && Aware

if you have enough time, visit my portfolio site

and follow me on medium