[Javascript] Can I Give Myself a Cookie ?

Tue Apr 22 09:21:13 CDT 2003

> However, with regard to persistent cookies -- boy is he wrong!
>
> First, off detecting cookies is no biggie.  A cookie is stored on a file
> in what is (for the most part) a standard directory.

So really, you're more worried about someone getting access to your
computer, not somebody using an exploit to expose cookies through
the browser, because unless you allow someone to install an Active-X
object, I don't see how cookies will be reported to any outside domains.

> The structure of a cookie is defined quite nicely in the McGraw-Hill book
> named (appropriately) "Cookies".  First published in 1998, it runs about
$11.00
> new.
>
> The "standard" way of using a cookie is to reference the URL you are
calling from,
> and ask nicely for the cookies associated with it.  If you want to see if
the
> web page you are on has any cookies associated with it, just type the
following
> into the location bar:
>
> javascript:alert(document.cookie.replace(/;/g, "\n"))

But you know why this works, right? Because it's accessing the CURRENT
domain's
cookies, not any outside of the domain.

> If you want a more automatic way of doing things, something like the
following
> script will work:
>
> <script language="JavaScript">
> <!--
>   function cookieMonster() {
>     var cookies = document.cookie.split(";");
>     var HTML = "";
>     for (var i=0; i<cookies.length; i++) {
>       HTML += cookies[i] + "<br>\n";
>     }
>     document.write(HTML);
>   }
> // -->
> <script>

I'm willing to bet that you won't be able to list the cookies from anyone's
domain except yours.

> Of course, one can have secure, non-secure, site-specific, and site-open
cookies
> also.  Javascript has a number of other useful cookie commands which
should be
> examined.
>
> However (!!!) a cracker doesn't bother with these niceties.  He simply
sucks up
> the raw cookies (not using the warm and fuzzy document.cookie directives),
and
> parses them.  The average cookie is built something along these lines:
>
> <cookie
designator>#<client-ip-address>-nnnnnnnnn.nnnnnnnnn::<cipher-key>#<server-ip
/URL>#<encoded pair 1>#
> <encoded pair 2># ... #<encoded pair N>#*#

While storing Cookies is of course more convenient to a hacker, if someone's
good
enough to get into your machine, I doubt they're only good enough to look in
one
directory - your cookie directory. They'd likely have the ability to check
ANYTHING
out on your computer and scan it for numbers that match CC # patterns.

You're right. It's not good to store sensitive data in cookies, but it's
fairly
safe to store some sort of identifying value so the site can look you up
easily enough
and using that info, the site's ownders can search for your information in
their DB.

In short, I would never store CC info in a cookie.

Chris Tifer