Cookie Poisoning

Contents

Cookie Poisoning

Synopsis

Cookie Poisoning module monitor the Set-Cookies headers and the cookie values in the repsonse from server side. If the monitored cookie values are changed by the client side, this module detect this and do action according to user settings.
This module depends on Session module, so before use the directives of this module you need to enable session support first.

Directives

cookie_poisoning

Syntax cookie_poisoning on | off;
Default off
Context Location

Enable cookie poisoning protection in a location

For instance:

server {
     session on;
     ...
     location / {
           cookie_poisoning on;
           ...
    }
}


cookie_poisoning_action

Syntax cookie_poisoning_action block | pass | remove | blacklist,num;
Default block
Context Location

This directive specifies the action when cookie values are detected changed.
Supported actions are:

  • block, block the request and drop it.
  • pass, let the request pass SEnginx
  • remove, remove the poisoned cookie in the request and then pass the request to backend.
  • blacklist, add this session into the blacklist when the block-times reaches the threshold.


Example:

cookie_poisoning_action block;     //block
cookie_poisoning_action remove;    //remove cookie value
cookie_poisoning_action blacklist,5;    //after block for 5 times, add the session to blacklist


cookie_poisoning_log

Syntax cookie_poisoning_log on | off;
Default off
Context Location

enable or disalbe the logging functionlaity. If this is enabled, this module will write an alert log into SEnginx's error log when an attack has been detected

Example:

cookie_poisoning_log on;


cookie_poisoning_whitelist

Syntax cookie_poisoning_whitelist ua_var_name=UA whitlist ip_var_name=IP whitelist ip_var_value=value;
Default -
Context Location

This directive specifies which IP whitelist and User-Agent whitelist to use. The IP whitelist is provided by nginx's geo module.
Example:

#Define an IP whitelist
geo $ip_wl {
    ranges;
    default 0;

    127.0.0.1-127.0.0.1 1;
    3.0.0.1-3.2.1.254 1;
}

#Define an User Agent whitelist
whitelist_ua $ua_wl {
    "autotest" ".*\.test\.com";
}

server {
    location / {
         cookie_poisoning_whitelist ua_var_name=ua_wl ip_var_name=ip_wl ip_var_value=1;
         ...
    }
}


Statistics

Use SEnginx Statistics module to see cookie poisoning attacks statistics.