Sign up to save your podcasts
Or
Share Course 1 - BurpSuite Bug Bounty Web Hacking from Scratch | Episode 12: Cookies, Sessions, and Session Management Manipulation Vulnerability
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Course 1 - BurpSuite Bug Bounty Web Hacking from Scratch | Episode 12: Cookies, Sessions, and Session Management Manipulation Vulnerability
In this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- HTTP is stateless: every request is independent, so web apps must implement state mechanisms to track users.
- Cookies — client-side state: small text files (≈4 KB) stored in the browser holding prefs, auth data, and often session IDs; key attributes: Domain, Path, Expires, Secure (HTTPS-only), and HttpOnly (not accessible to JavaScript).
- Sessions & Session IDs — server-side state: session data lives on the server and is referenced by a unique, high-entropy Session ID (long, random alphanumeric string) sent to the client; sessions are generally more secure because sensitive data is not exposed to the client.
- Security properties: ensure Session IDs are random, long, rotated after privilege changes (e.g., post-login), and invalidated on logout/timeout; prefer server-side storage for sensitive state.
- Cookie vs. Session tradeoffs: cookies provide persistence and client-side convenience but expose data to the client; sessions keep data server-side but require secure Session ID management.
- Common session-management vulnerabilities: predictable or reused session IDs, session fixation (reusing same ID before/after login), session IDs in URLs, lack of invalidation, and insecure cookie flags leading to theft via XSS.
- Practical exploitation demo (session manipulation): editing cookies can change user identity if server trusts client-side identifiers (e.g., modifying UID cookie allowed switching accounts), demonstrating weak server-side authorization checks.
- Mitigations & best practices: never trust client-side identifiers for authorization, use secure cookie flags (Secure, HttpOnly, SameSite), rotate session IDs on privilege changes, implement strict session timeouts and invalidation, and store sensitive state server-side.
- Core takeaway: robust session management requires secure Session ID generation, careful cookie handling, and server-side authorization — otherwise attackers can hijack or impersonate users via simple cookie/session manipulation.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
View all episodes
By CyberCode AcademyIn this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- HTTP is stateless: every request is independent, so web apps must implement state mechanisms to track users.
- Cookies — client-side state: small text files (≈4 KB) stored in the browser holding prefs, auth data, and often session IDs; key attributes: Domain, Path, Expires, Secure (HTTPS-only), and HttpOnly (not accessible to JavaScript).
- Sessions & Session IDs — server-side state: session data lives on the server and is referenced by a unique, high-entropy Session ID (long, random alphanumeric string) sent to the client; sessions are generally more secure because sensitive data is not exposed to the client.
- Security properties: ensure Session IDs are random, long, rotated after privilege changes (e.g., post-login), and invalidated on logout/timeout; prefer server-side storage for sensitive state.
- Cookie vs. Session tradeoffs: cookies provide persistence and client-side convenience but expose data to the client; sessions keep data server-side but require secure Session ID management.
- Common session-management vulnerabilities: predictable or reused session IDs, session fixation (reusing same ID before/after login), session IDs in URLs, lack of invalidation, and insecure cookie flags leading to theft via XSS.
- Practical exploitation demo (session manipulation): editing cookies can change user identity if server trusts client-side identifiers (e.g., modifying UID cookie allowed switching accounts), demonstrating weak server-side authorization checks.
- Mitigations & best practices: never trust client-side identifiers for authorization, use secure cookie flags (Secure, HttpOnly, SameSite), rotate session IDs on privilege changes, implement strict session timeouts and invalidation, and store sensitive state server-side.
- Core takeaway: robust session management requires secure Session ID generation, careful cookie handling, and server-side authorization — otherwise attackers can hijack or impersonate users via simple cookie/session manipulation.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy