Annie has just succeeded in stealing a secure cookie via a XSS attack. She is able to replay the cookie even while the session is valid on the server. Why do you think this is possible?
A.
Any cookie can be replayed irrespective of the session status
B.
The scenario is invalid as a secure cookie cannot be replayed
C.
It works because encryption is performed at the network layer (layer 1 encryption)
D.
It works because encryption is performed at the application layer (single encryption key)
Explanation would be:
Secure Cookies should only be alowed by the browser to send and receive over HTTPS. Thus there is an Application Layer Encryption.
A Secure Cookie is not encrypted and thus can be plainly read.
XSS is done from within the browser of the victem, within the memory allocated by the browser, regardless of any transport or any transport encryption.
Session Cookies contain a token that is known on the server as long as the session has not expired on the server.
You can always craft a HTTP request containing the cookie in your text-editor and send that to the server.