This guy has forgotten more about computers than I'll ever learn

This guy and Tom Scott are my 2 favorite people on Computerphile. I just wish Tom still made videos on here.

Shouldn't this video be called "Biscuit Nicking"?

Dr. Pound is really good. I want more videos from him.

I hate you guys. I have stuff to do, it's almost midnight and I keep on watching your so very interesting videos.

When I explain session ID's to other people (who usually couldn't care less), I always explain it like this; There are "blind guards" to "doors" in a webpage. At the front of the website there's someone who asks for your secret password, you tell them the password and they give you a special badge with Braille on it. You walk into the website and when you feel like going to another "room" (page)...you walk up to the guard and they grope you and say "oh well...you MUST be that person or they wouldn't have let you in, so I'll show you the stuff that only you are suppose to see"......the problem is when someone else makes a copy of that badge...the guards can't tell the difference. Then I go on about cross-site scripting until they go cross-eyed and then I install the NoScript browser extension for them cause they said "I don't care "how" it works...just make it so they can't do it.

I love these videos that you and Tom Scott do here on Computerphile with ways people can and do hack websites while providing LEGAL examples. I would really like it if you and Tom Scott do more of these.

11:37 It might be worth emphasising here that the reason this works is because the script specifically read the contents of the cookie and included it in the URL parameters for the image. Normally the browser will not send cookies intended for one site to a completely different one.

If I knew of this channel earlier my web projects would've benefited from it so much!

Computerphile drinking game. Take a shot every time he tugs on his sweater.

I'm so out of the loop. I didn't even realise this was possible in this way.

Upvote for that blog alone.

Might also be worth mentioning the HttpOnly flag for cookies here. I mean, obviously if you're vulnerable to XSS that's a serious problem regardless of what other security measures you've taken to protect users, but at least with HttpOnly set the JavaScript won't be able to steal cookies.

Thank you for always providing clear content Mike

Great explanation about this issue. Thank you very much.

For anyone thinking about pinning an IP address to a cookie, don't. Not only does it change if you move to new wifi network, it changes if you move between wifi and mobile, if you move between cell towers, if you're on public transport which offers free wifi and some ISPs even use a different IP address for every request (albeit usually South East Asian dial up connections). I've had people complain that they couldn't log in to a website before because their IP address changed between submitting a login form and getting the response back. Also, if you really want to secure yourself from SQL injection you should use prepared statements, ideally with stored procedures, and never adjust the base query at all. Escaping is not generally good enough to stop more advanced attacks.

Don't get ghostery... It's owned by ad targeting companies.

I love MIke Pound's videos!

Fantastic video!! I already knew all this stuff but still very enjoyable to watch. More web dev stuff please!

I steal my grandma's cookies all the time. Much easier than the way you do it. I just reach into the jar.

Good job as always, Mike.

You guys should do a series on stuff like this and how to try and prevent it. Since not too many people realise stuff like this especially when they begin coding - even Twitter has this happen not that long ago. I see how you show how it’s done, but you didn’t show how to prevent it ( an easy way that I use, is replace all angle brackets with the HTML code for it - it’s an ampersand and some text - now it won’t be valid HTML ). Heck, maybe even videos on how to secure your server itself.

Looked up ghostery as soon as you mentioned it and installed it to both browsers I use. Thanks!

Mike Pound is my favorite Computerphile host

Excellent breakdown.

Very interesting and eye-opening videos, pedagogically told. Simply great.

"It bags my cookie" sounds like British sexual innuendo.

alert("Just testing... :P")

I actually heard a story of the valve steamworks not being protected against XSS which would allow a rogue developer to put HTML tags in the description of their app description and steal the cookies of any valve administrator visiting the info of his app.

This is how Linus got hacked

Really amazin So well described So exciting

4:02 "Your blog is bad, and you should feel bad." Futurama reference.

very nice videos, computerphile, keep the good job

Excellent video

It would be awesome if you could provide your test website codes so one could try out for themselves and follow along Thanks for the awesome content

god bless this man. what a legend

There are lots of complicated and simple methods that you can implement between IP locking the cookie and nothing. Been a while since I had to develop a web app, but a common technique I would use would be that every time a request is made a new session ID (or a secondary ID) is generated and the last one is invalidated. This will mean your session ID keeps changing, reducing the size of each attack window and if your cookie is stolen and used when you next request with the cookie the attacker has invalidated, it can invalidated both sessions and notify the end user/server administrator that there has been a potential security breech. It doesn't stop the attacks completely but its a nice technique to make it harder and notify a user of the issue.

so over my head, but nice to have an inkling of what it means!

Great video and explanation. However, it would be nice to have a section on how to protect yourself from XSS.

This takes me back to redirecting quest books.

0:49 Requests 1:50 Cookies 2:42 Stealing 3:30 XSS

Excellent !!!!! Ty for such an excellent videos

Better not steal my cookies

You are a crafty man thanks for the lesson..........

you should do a video on Content Security Policy (CSP) and show how it can be used to protect against these types of attacks when having to use 3rd party applications which you may have little control of how they did their security.

03:46 shows a Samsung subnotebook with a TrackPoint. Which model is it? I really need my TrackPoint, because TouchPads are crappy to use and whenever I have to use them, I feel the need to smash the machine against the wall. So what laptops are there that have a TrackPoint - except for Lenovo ThinkPads, of course??

That's still vulnerable to sql injection, because you used mysql_real_escape_string, instead of mysqli_real_escape_string. The i stands for "improved", so obviously that's the one we should use. The other one has some subtle bugs, mainly character encoding ones.

i have a question when we using https protocol, then we can't steel cookies as far as i know then what we need to worry about steeling cookies?

great video

What was the name of the program he recommended to install?

Is it possible to use a similar concept to hijack someone else's toolbars/browser add-ons? I've heard of manipulating or tricking a user's browser to open a blank toolbar. This toolbar runs a script that allows you to access the user's local drives/files. Though I'm not sure it's seemless (not a true remote session). It seems strange that it would be possible but I can confirm I've seen it happen.

Why server does not use an IP address instead of cookie when it wishes to track clients requests and let's say shopping card? Because server can see only external IP address and can not see a local address of device. Is it the reason?

Trading a browser cookie for a photo of the Cookie Monster? Seems like a fair trade to me! 🤣

One thing that would be nice in these videos, imo, would be simplest ways in few words, how to defend yourself from most known exploits for new Web developers, uni students etc

This would be good to go through if your going to take your Comptia Security + test

Who is this guy? He is the coolest one to tell about computers at this channel, the videos about computer vision are totally amazing and this one was great too despite I've known all the information long before I've seen it. But if I need to tell someone what "XSS" is, I will definitely give the link to this video

This video seems like it might transition into a video about CSRF pretty well.

ive nearly had my cookies stolen twice(or more) on discord! it was some kind of script that ran when you joined a server...and its quite clever

"I get back an image and I think nothing's gone wrong but they've now got my cookies" scariest words.

Can you get this guy to explain software models, functions, attributes … I understand so many things for the first time when he is explaining it.

what program did he recommend at the star to block cookies?

Why did they choose the name "cookie"?

My screen jumps up and down sometimes; - but I have an optical mouse ...it seems to stop when I turn the mouse upside down... - I could run wireshark but just stare at it like a spastic...

Thank you As far I am aware, if an attacker will gain the session ID he won't be able to use it again because it was already used by the original user.

Is there also cookie spoofing after you get someone’s cookies and how does that work?

I remember when Facebook didn't require https for their mobile site. Soo many users details were visible in my school when I fired up FaceNiff or Firesheep. (ARP poisoning, traffic sniffing, cleartext cookies)

Very clear! Read more books though!

What was the cookie removing software he mentioned?

I love that he’s using MariaDB

"It's all very positive. Oh, well, nearly." My words exactly when I get 25% on a assignment.

oh man why do so many good videos come out after midnight

So rather getting an image from the server that holds the blog file, the attacker is redirecting the request to his submitcookie.php file on the attacker server. This .php file stores the cookie in a databse and returns back to the defendless user the cookie monster image. Am I understanding this correctly?

In a normal situation, wouldn't the post with the session cookie be stopped by the browser because of same origin policy?

i love these videos!!!

since most forums allow img tags, for pictures, (or tell me if they dont :p), doesnt it mean that practically every forum is vulnerable? what countermeasures do they use?

Am I understanding this correctly or am I missing something? The script that he sent is now a permanent part of the website as it will be loaded from the database as soon as a user requests to view the blog entries. When the script is loaded, the client will run it and send their cookie to the attacker's website. The user doesn't need to do anything other than load that blog post in order to send off their cookie?

Prof. Can you please do a similar video for heap overflow? Thanks

the interviewer really sounds like the guy from sonicstate. I always thought Brady was doing the interviews...

Lots of PHP frameworks will now change your session ID on each request (while keeping the data associated to the new ID), this prevents these types of attacks as the ID that gets stolen is immediately invalid

Is there the possibility of reading out the whole cookie file? I mean it's just a file on the computer which can be read out. Can Javascript do such things?

Shouldn't the animation show the cookie being sent to a different server on which the image is hosted?

Is that code still vulnerable to SQL injection? I thought it should be using prepared statements and enforcing UTF-8?

Right at the start you recommend installing an app to stop cookies 'tracking our whereabouts' but I couldn't understand what you said. Ghost something?

It’s scary how easy doing these sorts of things are sometimes. If I recall, however, XSS attacks aren’t nearly that much of a threat because because of SSL. The request is private, and you’d have to forge the certificate, which is nearly impossible. Do I understand correctly?

Cookie stealing only permits logging into other person's account when their account is set up to "keep me logged in" right? Because then the server doesn't ask for username and password?

Ghostery itself does tracking. It's pretty messed up.

Reauth when performing important tasks is one method of hardening security. Another might be to challenge again if geoip logs detect impossible travel (i.e. it suddenly looks like you're on the other side of the world or, at least, a completely different Autonomous System).

this was a good video!

would the attacker also need to be authenticated to actually use your cookie?

7:14 Code like that, takes me waaay back 😂

Put that cookie down, now!

Instructions unclear, the cookies monster came after me stoling it's cookies.

Is it legal to do this on your website images? So if someone else excepting yours users is using that image, they will also send their cookies to your website?

An alternative to XSS and often used in Spam emails, is Clickjacking. Look it up if you're a web dev, or perhaps a video on this would be nice +Computerphile

Great video. I already know all this but know; PHP Sessions and Cookies are WAY different. Just like LocalStorage.

Even a "myimage.jpg" can perfectly be a php file (or any other scripting language, fwiw). The "file extension" concept have no place in HTTP protocol, so the browser doesn't actually know if "image.jpg" is an image or anything else named like that (including a folder). It doesn't even have to exist on the server, as you have multiple configuration options for your routing and rewriting of the request paths once the request hits the server.

Where can I download this example site?

BRUH this guy really knows his stuff wow.........makes me wanna drop electrical and pick up programming/coding

crosseyed what? awesome, thanks

Cool tutorial