Every time you visit a new web page, you receive the same boring request: “This site uses cookies, do you want to accept it?

What does it mean? And what are the consequences if you accept them? What is a session hijacking?

In this and in the next articles we are going to answer to these questions and we are going to see how an attacker can potentially have access to our sensitive data.

What is a Cookie Session?

When we speak about cookies in computer sciences we intend tiny text files which contain few bytes of data necessary in order for a web site to remember who we are when we visit its pages.

HTTP, the protocol in which the Internet is based, it’s a stateless protocol, this means that every time you visit a page, you should send your information from scratch.
Each HTTP session has no memory at all about who you are and when you have visited the page.

In other words, cookies store information about your interaction with a website.
For example, when you log into Facebook, a session begins. This allows you to keep using Facebook (even if you close and reopen the web browser) until you click on log out and end the session.

If the session wasn’t created, you would need to keep logging in every time you wanted new data.

This is why sessions are needed. It keeps you logged in so that you can continue to browse through different web pages and navigate the website.

What’s important to note here is that every session generates in your PC, of course, a set of cookies. We can call these session cookies. And each session cookie has a unique session ID.

Once created, your browser needs just to send this ID to Facebook every time you want to visit it, so that it can match your session and recognize who you are.

What is Session Hijacking?

Now, if on one hand it is true that cookies are a good tool, on the other hand it is also true that you can jump in trouble as soon as somebody is able to stole them.

When the attacker succeeds to get such data, he can potentially pretend to be you and, continuing the previous example, access to your Facebook profile without actually knowing your password.

Those kinds of attacks belong to the ones called in jargon session hijacking and cookies stealing.

But, how an attacker can stole cookies?

Well, an attacker has different possibilities. For example, if he is connected to your same Wi-Fi network, he can potentially sniff your traffic and intercept transmission containing sensitive information. Another way is to inject malicious script into a weak website and force your browser to send him your cookies (XSS).

What we’ll see in these articles it is another method based on using a program which has to be run in the victim’s PC and allows an attacker to backup all the cookies of a user, ready to be injected in another browser.

The Browser

In order to successfully perform a session hijacking and get the job done, it is really important to first target the browser and the OS used by the victim.

The browsers available nowadays have a standard way for storing profile information, normally these are put in a local folder in your hard driver, together with a database in which cookies are saved.

In these articles I’m going to take into account Windows 10 and Mozilla Firefox.

The folder we need is generally saved under an hidden one called AppData, which can be found inside:

Copy to Clipboard

For example, the complete path in my installation is:

Copy to Clipboard

Here you can find different subfolders depending on the number of Firefox active profiles. Inside them, Firefox saves a lot of information, including cookies.

The file we are interested in, is called cookies.sqlite that is a simple SQL database.

If you can’t find the AppData folder it may be that you can’t see the hidden folders, try to follow this guide and check again.

The Database

The first thing we have to do is to open this database and check how is composed.

In order to do that, we can use a simple tool called DB Browser for SQLite.
Download the installer for  your architecture from this page.

During the installation, remember to select the Program Menu checkbox available in the Shortcuts tab.

Once installed, open the application and search for the cookies.sqlite we found earlier by clicking on: Open Database.

At the time of writing, the database is structured this way:

this means that each cookie is stored with its own id together with a set of data among which the one labeled as value seems to be the most important.

Conclusions

Good, in this article we have introduced what is a cookie in computer science and why we need it. We have also seen, when this can become a cybersecurity risk and we have started to analyze where Firefox saves cookies.

In the next article, we’ll see how to write a Java application which is capable to backup up all those data  and restore them in another browser (the one of the attacker), so that we can deeply understand how session hijacking works.