Skip to main content


Cookie Spoofing: Explained and Prevented

Istock 1327818236

“C is for Cookie; that’s good enough for me.” – Cookie Monster

While I may not agree with all of Cookie Monster’s ideas, he does have one thing unquestionably right: Cookies. We all love them. Who doesn’t? Anyone who doesn’t love cookies is not to be trusted. There is, however, a genus of actors that both love cookies and are not to be trusted. Those actors are known as “hackers.” Sound familiar? That’s right. Hackers will steal your cookies and use them to access your secure and private information! What is the world coming to…

To explain Cookie Spoofing, we must also cover the larger group of attacks it falls into, known as Session Spoofing. Session Spoofing is enacted when a highly qualified specialist actor obtains the identifiers (TCP Sequence Number and TCP Acknowledgement Number) of a user’s active web service session. The actor can then use the current identifiers to create a falsified data packet sent from any internet connection to fool the service that the actor’s session is a legitimate session, providing the actor with access control of whatever credentials the user was implementing. Session Spoofing is rarely used by modern actors, as OS providers have developed defenses against these attacks; however, some estimates put the number as high as 35% of modern systems still being vulnerable to Session Spoofing.

Spooky, right? Like evil Cosplayers, Session Spoofers extract useful information from your unencrypted data flows and use it to stitch together a digital You-Suit!

Cookie Spoofing is a specialized form of Session Spoofing. Also known as “Session Hijacking” or “Cookie Side-Jacking,” the Cookie Spoof attack utilizes the service-set cookie to fraudulently take over a user’s session, most commonly applying to browser sessions or web applications.

How Do They Do This?

In most cases, when a user logs into a web application, the server sets a temporary session cookie in the user’s browser to remember that the user is currently logged in and authenticated. The actor need only obtain the victim’s session ID, which is stored in the cookie. This information can be obtained through two primary means: “packet-sniffing” (the grabbing of unencrypted network data through a NIC in Monitor mode) or a Notification Spoof. The Notification Spoof, which falls under Cross-Side Scripting (XSS), is the most common method of performing the Cookie Spoof attack. An actor injects client-side scripts into a web page to execute arbitrary code upon loading the compromised page. This arbitrary code produces a false notification (YOUR COMPUTER IS INFECTED WITH 23 VIRUSES!!!!!) to trick the user into clicking on a malicious link with a pre-set session ID. The actor can then use the stolen session ID for their browser session, which will trick the server into believing the actor’s session is legitimate, enabling the actor to perform any functions the user would have been authorized to perform (such as accessing secure documents, sending emails, or even transferring money or making credit card purchases!).

How Do You Defend Yourself Against Cookie Spoofing?

For packet sniffing, the solution is as simple as using a VPN whenever you connect to a network. This ensures your traffic is encrypted, making it useless to a bad actor.

For defending against Cross-Side Scripting, however, you just need to be wary. Your Operating System will typically warn you of insecure websites. Heed that warning, and walk the other way. If a website asks you to “enable this” or “install that” to view their content, err on the side of caution and conclude that you didn’t REALLY need to see that 5,000th cat picture of the day, even IF the thumbnail looks super-adorable.

Avoiding the Cookie Spoof attack is as simple as being mindful of where you are, what you are connected to, and where your data is going!

That’s it!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Michael Cheatham

I am a CDDO Technical Consultant and have a background in Azure DevOps and NSX with Hashicorp Terraform, with a special interest in cybersecurity and automation. I am a father of four children and live in South Louisiana, operating out of the Lafayette Delivery Center.

More from this Author

Follow Us