Follow us on Twitter!
Society leans ever heavily on computers, if you have the power to take out computers you can take out society. - cubeman372
Monday, April 21, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 21
Guests Online: 20
Members Online: 1

Registered Members: 82856
Newest Member: djtonyg
Latest Articles

How to prevent Cookie Stealers

Arrow Image This mini tutorial will teach you a few ways of protecting your webstie against cookie stealers.



In this article, I will be giving a few tips on how to protect against cookie stealers.


Flash Cookie Stealers
--------
Some sites allow flash to be embedded, and if your site isn't secure, people can use javascript within the flash to steal cookies. In case you didn't know, the simple way of embedding a flash onto an html page is:

<embed src="somefile.swf" width="somewidth" height="someheight"></embed>

But, people can easily put javascript in their flash to either steal cookies, or annoy the user. So to simply not allow javascript within the flash, just add allowscriptaccess="never" to the embed tag. Example:

<embed src="somefile.swf" width="somewidth" height="someheight" allowscriptaccess="never"></embed>

And that way, all javascript within the flash will be blocked. But, if you have a site that allows users to upload .swf's directly to your site, they can still use javascript even with allowscriptaccess="never". What they could do is find the exact url to their uploaded .swf on your server, and spread the exact url around instead of the embedded flash. Well, not to fear, there is still a way to stop people from stealing cookies, but unfortunately, there is no way of stopping people from using annoying javascript in their uploaded flash. So anyways, I'm assuming you use php to create your cookies. Well, as of php version 5.2, there is a new parameter to the setcookie() function. In this parameter, you can specify whether or not the cookie can only be accessed through the HTTP protocol. If set to TRUE, all javascript attempts to access the cookie will fail. Incase you are wondering, to access a cookie with javascript, you do docu<i></i>ment.cookie.


XSS (Cross-site Scripting) Cookie Stealers
--------
If you have a place on your site where people can submit or print text onto a page, make sure it is secure first. If it isn't, people can submit any kind of html or javascript to take control of the page. So, I will go over two php functions that can stop all html and javascript from being outputted on a page.

The first function is the strip_tags() function. With this function, you can strip any kind of tag that is beging outputted. The only bad thing is it would strip non-html tags such as <lol>. Anyways, an example is below:

<?php
$text="Hello <b>World</b>";
echo strip_tags($text); //Outputs Hello World, without "World" being bold.
?>

So, applying that function around all user submitted text will ensure that your safe.


The second function is htmlentities(). I prefer this over the strip_tags() function, because it keeps everything, but doesn't allow html. It will simply turn all special characters in html to their entity form. An example:

<?php
$text="Hello <b>World</b>";
echo htmlentities($text); //Outputs Hello <b>World</b> because the < and > have been converted to their entity form.
?>
--------
Well, that concludes my mini tutorial on how to protect yourself from cookie stealers. I hope you learned something!

Comments

regiton September 01 2006 - 17:31:29
Great artical, it was very informative. Thank you for writing it Smile
willeHon September 02 2006 - 22:03:53
You could use a cookie-stealer stopper plugin for firefox Smile Nice article.
WhiteAcidon September 03 2006 - 22:33:48
There are several more things that should be filtered, no magic function can be made, instead the web developer has to think what context the string is being echoed into. It may be into an elements attribute, style tag. Maybe into a style or even a script tag (I've seen both done without resulting in flaws).
Zarrayon March 18 2007 - 10:23:56
or turn HTTP_TRACE off
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.