1

I am assessing a small e-commerce web application. I have found that the application passes the order details, the cost, the order ID etc as a part of the cookie. Tampering with it does not affect the operations.

However I wanted to know if this is a safe practice to follow? Does it posses any threat? Also, is there any resource which gives guidelines for security best practices for e-commerce applications so that I can reference the same to my client?

Anders
  • 64,406
  • 24
  • 178
  • 215
Tim
  • 19
  • 2
  • Related posts: [here](https://security.stackexchange.com/questions/95681/storing-personal-information-in-cookies?rq=1) and [here](https://security.stackexchange.com/questions/34955/should-cookies-that-contain-non-sensitive-information-be-encrypted?rq=1) – Jedi Jul 05 '16 at 02:06
  • I think the last part of your question - the request for guidelines - might be off topic here (since it is sort of a request for product recommendations). – Anders Jul 05 '16 at 08:50

4 Answers4

3

Putting actual information into cookies, as opposed to just storing a session ID and keeping the rest of the information server side can (but does not have to) be problematic. There are two pitfalls you want to avoid:

  • Trusting information in the cookie without server side validation, e.g. accepting a total price of $0.01 just because the cookie says so.
  • Storing sensitive information in the cookies, e.g. passwords or credit card numbers.

However, there are legitimate reasons to store things in cookies. I could imagine it could be useful when implementing a shoping cart and you want to persist the content over page loads without troubeling the server.

So to know if there is a vulnerability here you need to carefully pen test the application (just like you have already done). Try changing the price. Try to order an item that you should not be able to order. Try providing random rubbage. Try to fake discounts you should not get. Try to order non existant items to get the free shipping you only get when ordering more than five items. Try starting two orders in different browsers and see if you can hijack one of them by changing the order ID of the other. Etc, etc, etc.

Some apps that rely on cookies to keep a state will populate a form client side with the data from the cookie, and then that form is sent to the server when the order is submitted so the server will never bother with the cookie. If that is the case here, you should probably focus your pen testing on the form instead of the cookie.

To write safe code, you will need to treat cookie values with the same scepticism you treat any user input even though it was you who set the values. So you will need to validate, do authorization, calculate the correct price and so on server side.

So to summarize, the answer is a firm "it depends".

Anders
  • 64,406
  • 24
  • 178
  • 215
0

As you already used the words "sensitive information", it is not recommended to pass the info in cookies. Also, if secure and http-only attributes are not set, it is easy for an attacker to read this data. So the question you should ask, "do I want someone to access this information?" If the answer is strict no, then don't pass it.

one
  • 1,781
  • 3
  • 18
  • 45
0

Tampering with it does not affect the operations.

There are 3 possible explanations:

1) The information in the cookies is redundant

2) you've not yet found the right combination of circumstances where the content of the cookie does affect the function

3) it did have an impact but you did not observe it

Clearly 2 above would mean that there is a vulnerability in the application. But the first explanation is still a cause for concern. It implies that the application is leaking information, that the developers are not paying due care and attention to the code they implement or are not cleanly removing redundant code from the application.

There is only one potential scenario where this would be a good idea - that is in using the cookie storage as a cache - a catalogue of content could be generated using cacheable / static pages with embedded javascript to read in the values from the cookie and populate a basket indicator. If this were the case, then I would expect to see the indicator change when the cookie was tampered with (but at checkout the server stored amounts and values would be displayed) - but you said there was no impact.

symcbean
  • 18,278
  • 39
  • 73
  • I would say there is an alternative four: The cookie is used to store a client side state, but not for any interaction with the server. (But maybe this would qualify as "affect the operations".) – Anders Jul 05 '16 at 14:59
0

Putting shopping cart information in the cookie, by itself, is not a security vulnerability. As long as it doesn't allow the user to do anything they aren't allowed to do, such as ordering items at different price than the real price or affecting the prices seen by other users/sellers.

A user being able to mess with their own displays is not a security issue, provided that the server does not use the price information given by the client when calculating the price for the actual transaction.

But though this may not be a security issue, using cookie in this way is a poor design, as it is essentially using cookie as a form of client side caching. The problem is that cookies are sent to the server on all request, and it adds significant overhead to each HTTP request if you have lots of data in cookies. This was a common trick decades back when sites need to store some information on the client, but modern browsers support SessionStorage/LocalStorage and IndexedDB, which are much better for this kind of things.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93