1 00:00:00,720 --> 00:00:05,430 All right, so another important cookie attribute is the secure attribute. 2 00:00:06,360 --> 00:00:12,310 It tells the browser not to send the cookie over the connection unless it's HDB. 3 00:00:13,930 --> 00:00:14,750 So let's have a look at. 4 00:00:15,880 --> 00:00:19,900 On also open web developer, we're going to need that to. 5 00:00:20,800 --> 00:00:23,410 And then from the menu, choose secure cookies. 6 00:00:25,060 --> 00:00:25,900 And go to berp. 7 00:00:28,440 --> 00:00:30,300 And forward these requests. 8 00:00:31,620 --> 00:00:41,100 And here is the important response, we have the top security cookie again with the value no, so forward 9 00:00:41,100 --> 00:00:41,250 it. 10 00:00:42,370 --> 00:00:43,480 Go back to the browser. 11 00:00:44,930 --> 00:00:45,950 Click the request. 12 00:00:47,070 --> 00:00:48,450 And cookies. 13 00:00:49,490 --> 00:00:54,320 And looky here, what do we have for the top security cookie? 14 00:00:55,260 --> 00:01:05,650 It's defined as HTP only and has the expire and path attributes, but no secure directive. 15 00:01:06,330 --> 00:01:09,720 OK, change back to medium, go to berp. 16 00:01:11,640 --> 00:01:14,100 Now, this is the request sent to the server. 17 00:01:15,160 --> 00:01:19,610 As you can see, the only top security cookie goes with a request. 18 00:01:20,570 --> 00:01:23,240 And it is an HTP request. 19 00:01:24,520 --> 00:01:26,200 So I'll forward that a few times. 20 00:01:28,590 --> 00:01:36,000 Now, this time, we have this Akua attribute for the cookie, so forward it and go to the browser. 21 00:01:37,430 --> 00:01:38,390 Cook this one. 22 00:01:39,630 --> 00:01:41,400 And here are the cookie properties. 23 00:01:43,130 --> 00:01:44,960 So I think this is a very nice view. 24 00:01:46,750 --> 00:01:49,690 And the secure parameter is set by the server. 25 00:01:51,400 --> 00:01:53,680 OK, so now I'm going to open another page. 26 00:01:54,770 --> 00:02:00,050 Nothing happens because burp intercepts, let's look at the request. 27 00:02:00,930 --> 00:02:05,160 It doesn't contain the top security with the may be value. 28 00:02:06,960 --> 00:02:15,150 So because it is a secure cookie and the browser automatically prevents it from sending over a non SSL 29 00:02:15,150 --> 00:02:15,660 channel. 30 00:02:17,350 --> 00:02:18,700 OK, so let them go. 31 00:02:22,820 --> 00:02:23,660 And if you can change it. 32 00:02:23,690 --> 00:02:24,090 Hi. 33 00:02:24,430 --> 00:02:27,680 Yeah, I think it's going to exchange except for the expired value. 34 00:02:30,350 --> 00:02:32,150 So let's have a look at the code. 35 00:02:37,080 --> 00:02:37,950 Scroll down. 36 00:02:39,280 --> 00:02:43,990 And here is a code, so the sixth argument said. 37 00:02:44,900 --> 00:02:46,970 Is a secure attribute for a cookie. 38 00:02:48,170 --> 00:02:53,180 And the medium and high levels are only set. 39 00:02:54,830 --> 00:03:03,110 OK, so we have examined four attributes of cookies, so it's possible to see some other ones out in 40 00:03:03,110 --> 00:03:03,920 the real world. 41 00:03:04,700 --> 00:03:07,280 So I do want to add one more. 42 00:03:08,500 --> 00:03:10,060 The domain attributes. 43 00:03:11,060 --> 00:03:15,740 So it specifies the domain to which the cookie would be sent. 44 00:03:16,680 --> 00:03:24,840 Makes sense, the domain value must be the same or a subdomain of the domain from which the cookie is 45 00:03:24,840 --> 00:03:25,690 received. 46 00:03:26,850 --> 00:03:31,320 So this attribute matches, then the path attribute will be checked next. 47 00:03:31,860 --> 00:03:32,220 All right. 48 00:03:32,220 --> 00:03:33,780 So it's all about the cookies, baby. 49 00:03:34,900 --> 00:03:43,480 So in a penetration test, you should definitely report the cookies that are not HDB only and secure. 50 00:03:44,610 --> 00:03:46,830 Especially if they are selling cookies.