Cookie poisoning, also known as session hijacking, is a type of cyber attack in which a bad actor hijacks, forges, alters or manipulates a http cookie to gain unauthorized access to a user's account, open a new account in the user's name or steal the user's information for purposes such as identity theft.
An attacker using cookie poisoning can gain unauthorized access to a user's account on the site the cookie was created for, or potentially tricking a server into accepting a new version of the original intercepted cookie with modified values. The items inside a cookie that are subject to cookie poisoning are often called parameters. Successful attempts at cookie poisoning will correctly identify the parameters that contain usable information, such as selecting a credit card number from a transaction that also includes items like a session ID, time stamp and other information about purchases.
One such example of cookie poisoning might involve intercepting an online retailer's cookie before its information is sent from a user's computer to the server during a "cart checkout" process and modifying price values to trick the server into charging the user less money.
As cookie poisoning is fairly easy to do, most securely designed web applications are developed so that certain key parameters are not stored within cookies, and are also given non-intuitive names and possible values to deter guessing and modification by an attacker. Additionally, a good web application firewall (WAF) will protect against cookie poisoning by detecting cookie "set" commands sent by the web server and intercepting all HTTP requests in order to compare them to the information present in the received cookie. The cookie is then only accepted if the information is deemed accurate and not tampered with, preventing any kind of forgery or manipulation by an attacker.