DDoSPedia is a glossary that focuses on network and
application security terms with many distributed
definitions. It provides a central place for hard to find web-scattered
definitions on this topic.
Cookie poisoning is the act of manipulating or forging a
(a small piece of data created and stored in a user's browser that keeps track of important information regarding his or her session information for a particular site) for the purpose of bypassing security measures or sending false information to a server. An attacker using cookie poisoning can gain unauthorized access to a user's account on the particular site the cookie was created for, or potentially tricking a server into accepting a new version of the original intercepted cookie with modified values.
If the developer of the web application that created the cookie chose to store important parameters within the application's created cookies, (especially if key parameters, such as privilege level, are labeled such that they can be easily identified) cookie poisoning can be carried out fairly easily and effectively. One such example of cookie poisoning might involve intercepting an online retailer's cookie before its information is sent from a user's computer to the server during a "cart checkout" process and modifying price values to trick the server into charging the user less money.
As cookie poisoning is fairly easy to do, most high quality web applications are developed so that certain key parameters are not stored within cookies, and are also given non-intuitive names and possible values to deter guessing and modification by an attacker. Additionally, a good web application firewall (WAF) will protect against cookie poisoning by detecting cookie "set" commands sent by the web server and intercepting all HTTP requests in order to compare them to the information present in the received cookie. The cookie is then only accepted if the information is deemed accurate and not tampered with, preventing any kind of forgery or manipulation by an attacker.