Protecting cookies from Cross Site Script attacks using Dynamic Cookies Rewriting technique

Web applications often use cookies for maintaining an authentication state between users and web applications, these cookies are typically sent to the users by the web applications after the users have been successfully authenticated. Every subsequent request that contains the valid cookies will be automatically allowed by the web applications without any further authentication. The cookies are used to both identify and authenticate the users; therefore they are an interesting target for potential attackers. Cross Site Scripting attack (XSS for short) is one of popular attacks which is often used to steal the cookies from a browser´s database. In this paper, we introduce a new technique called “Dynamic Cookies Rewriting”, this technique aims to render the cookies useless for XSS attacks. Our technique is implemented in a web proxy where it will automatically rewrite the cookies that are sent back and forth between the users and the web applications. With our technique in place, the cookies at the browser´s database now are not valid for the web applications; therefore the XSS attack will not be able to impersonate the users using stolen cookies.