2
Spxx
1y

I know this question sounds dumb but when i google 50% say no and 50% say yes. So my question is, can i spread (a Fileless) Malware with cookies?

Comments
  • 2
    What would you like it to do?
  • 2
    It is not possible using publicly available information. It might be possible using exploits that haven't been found publicly.
    When someone published a way to do it it wouldn't work a few hours later because it gets fixed.
  • 7
    Not normally.

    A cookie is just a text that is read as a string by the browser.

    Also, under normal conditions a cookie is only visible to the same site or domain that put it there.

    So unless there is some script in the page that either explicitly reads and tries to execute the text as code, or that has some flaw the text cannot infect the computer.

    Theoretically a flaw in the browser possibly could open up something, but I have never heard about it.

    And the limit to same domain also lessens the use as you then probably could inject something that could carry a virus.

    The main/ or only real problem with cookies is identification and sites storing sensitive information that should not be stored in the browser.
  • 1
    What @Voxera said.

    A cookie is just a string.
    So unless you planted malware to read and execute the cookie... it wouldn't do anything.

    You could in theory drop malware with js, but then you still need someone or something to execute it outside of the browser (inside the browser you have sandboxing which prevents this kind of thing) and as this file sits in a /temp directory of some kind (os specific) it's usually well out of the way for normal users to find it and actually run it.
  • 2
    @C0D4 also unlikely in this case there have been exploits tricking the text parser into executing code. "It's just text" doesn't mean it's save.
  • 1
    Does the scenario involve javascript on a website you control (own/hijacked) and/or browser plugins?
  • 1
    @zvyn on the other hand nether are images in that case :)

    But cookies as a tech is not in it self dangerous.

    If there are bugs in the browser or the client or server side code that allows code execution from a cookie it could as easily allow code execution from request or response headers.

    So if you are trying to protect on that level, cut the cable and wrap a faradays cage around the computer :)
  • 2
    @Voxera true, reminds me of the recent "remote code execution by putting commands in HTTP headers" Drupal issues. Security is about assuming that everyone fucks up everything all the time and trying to survive that
Add Comment