How to prevent Cookie Stealers
How to prevent Cookie Stealers
In this article, I will be giving a few tips on how to protect against cookie stealers.
Flash Cookie Stealers
Some sites allow flash to be embedded, and if your site isn’t secure, people can use javascript within the flash to steal cookies. In case you didn’t know, the simple way of embedding a flash onto an html page is:
<embed src=“;somefile.swf“ width=“somewidth” height=&“someheight”>
But, people can easily put javascript in their flash to either steal cookies, or annoy the user. So to simply not allow javascript within the flash, just add allowscriptaccess=“never” to the embed tag. Example:
And that way, all javascript within the flash will be blocked. But, if you have a site that allows users to upload .swf’s directly to your site, they can still use javascript even with allowscriptaccess=“never”. What they could do is find the exact url to their uploaded .swf on your server, and spread the exact url around instead of the embedded flash. Well, not to fear, there is still a way to stop people from stealing cookies, but unfortunately, there is no way of stopping people from using annoying javascript in their uploaded flash. So anyways, I’m assuming you use php to create your cookies. Well, as of php version 5.2, there is a new parameter to the setcookie() function. In this parameter, you can specify whether or not the cookie can only be accessed through the HTTP protocol. If set to TRUE, all javascript attempts to access the cookie will fail. Incase you are wondering, to access a cookie with javascript, you do document.cookie.
XSS (Cross-site Scripting) Cookie Stealers
If you have a place on your site where people can submit or print text onto a page, make sure it is secure first. If it isn’t, people can submit any kind of html or javascript to take control of the page. So, I will go over two php functions that can stop all html and javascript from being outputted on a page.
The first function is the strip_tags() function. With this function, you can strip any kind of tag that is beging outputted. The only bad thing is it would strip non-html tags such as . Anyways, an example is below:
So, applying that function around all user submitted text will ensure that your safe.
The second function is htmlentities(). I prefer this over the strip_tags() function, because it keeps everything, but doesn’t allow html. It will simply turn all special characters in html to their entity form. An example:
Well, that concludes my mini tutorial on how to protect yourself from cookie stealers. I hope you learned something!
ghost 18 years ago
There are several more things that should be filtered, no magic function can be made, instead the web developer has to think what context the string is being echoed into. It may be into an elements attribute, style tag. Maybe into a style or even a script tag (I've seen both done without resulting in flaws).