Cookie Stealing - Computerphile

This guy has forgotten more about computers than I'll ever learn

Shouldn't this video be called "Biscuit Nicking"?

This guy and Tom Scott are my 2 favorite people on Computerphile. I just wish Tom still made videos on here.

Dr. Pound is really good. I want more videos from him.

When I explain session ID's to other people (who usually couldn't care less), I always explain it like this; There are "blind guards" to "doors" in a webpage. At the front of the website there's someone who asks for your secret password, you tell them the password and they give you a special badge with Braille on it. You walk into the website and when you feel like going to another "room" (page)...you walk up to the guard and they grope you and say "oh well...you MUST be that person or they wouldn't have let you in, so I'll show you the stuff that only you are suppose to see"......the problem is when someone else makes a copy of that badge...the guards can't tell the difference. Then I go on about cross-site scripting until they go cross-eyed and then I install the NoScript browser extension for them cause they said "I don't care "how" it works...just make it so they can't do it.

I hate you guys. I have stuff to do, it's almost midnight and I keep on watching your so very interesting videos.

11:37 It might be worth emphasising here that the reason this works is because the script specifically read the contents of the cookie and included it in the URL parameters for the image. Normally the browser will not send cookies intended for one site to a completely different one.

I love these videos that you and Tom Scott do here on Computerphile with ways people can and do hack websites while providing LEGAL examples. I would really like it if you and Tom Scott do more of these.

I'm so out of the loop. I didn't even realise this was possible in this way.

Might also be worth mentioning the HttpOnly flag for cookies here. I mean, obviously if you're vulnerable to XSS that's a serious problem regardless of what other security measures you've taken to protect users, but at least with HttpOnly set the JavaScript won't be able to steal cookies.

For anyone thinking about pinning an IP address to a cookie, don't. Not only does it change if you move to new wifi network, it changes if you move between wifi and mobile, if you move between cell towers, if you're on public transport which offers free wifi and some ISPs even use a different IP address for every request (albeit usually South East Asian dial up connections). I've had people complain that they couldn't log in to a website before because their IP address changed between submitting a login form and getting the response back. Also, if you really want to secure yourself from SQL injection you should use prepared statements, ideally with stored procedures, and never adjust the base query at all. Escaping is not generally good enough to stop more advanced attacks.

You guys should do a series on stuff like this and how to try and prevent it. Since not too many people realise stuff like this especially when they begin coding - even Twitter has this happen not that long ago. I see how you show how it’s done, but you didn’t show how to prevent it ( an easy way that I use, is replace all angle brackets with the HTML code for it - it’s an ampersand and some text - now it won’t be valid HTML ). Heck, maybe even videos on how to secure your server itself.

If I knew of this channel earlier my web projects would've benefited from it so much!

Computerphile drinking game. Take a shot every time he tugs on his sweater.

Don't get ghostery... It's owned by ad targeting companies.

Upvote for that blog alone.

There are lots of complicated and simple methods that you can implement between IP locking the cookie and nothing. Been a while since I had to develop a web app, but a common technique I would use would be that every time a request is made a new session ID (or a secondary ID) is generated and the last one is invalidated. This will mean your session ID keeps changing, reducing the size of each attack window and if your cookie is stolen and used when you next request with the cookie the attacker has invalidated, it can invalidated both sessions and notify the end user/server administrator that there has been a potential security breech. It doesn't stop the attacks completely but its a nice technique to make it harder and notify a user of the issue.

I actually heard a story of the valve steamworks not being protected against XSS which would allow a rogue developer to put HTML tags in the description of their app description and steal the cookies of any valve administrator visiting the info of his app.

It would be awesome if you could provide your test website codes so one could try out for themselves and follow along Thanks for the awesome content

I steal my grandma's cookies all the time. Much easier than the way you do it. I just reach into the jar.