A typical error when installing COOKIE in PHP
I want to share one feature when setting COOKIE values, which is often forgotten by web developers.
In my practice of researching web applications on vulnerabilities, for 2009-2011, this error occurred in 87% of web applications written in PHP.
In order to somehow reduce this figure, I decided to write this text.
It's not even about the httpOnly flag, although its use is equally important and must be applied.
Consider the sample code:
This code obviously sets two COOKIE values with the names foo and foo1.
Now the main question - for what domain and with what flags ?
')
Referring to the source - the HTTP response of the web server:
As you can see, the server says nothing about the domain or the flags.
Then the question goes to another plane - which domain and flags will the browser choose for such a header?
In the case of Chrome (current version 18.0.1025.168), everything will be more than good and the domain will be exactly the one from which the request came. In my example, foo.bar.com:
If everything was so good, probably, there would be no text here ...
Check Internet Explorer. Since I don’t know beautiful plugins for viewing COOKIE, set cookies for the foo.com domain and output document.cookie from the bar.foo.com domain:
This is very sad. And funny from the other side.
When the server receives an HTTP response
The attacker, whose role I often have to play when performing audits, remains to find XSS on any subdomain of the target host, which in practice is very easy to implement.
But what about other browsers?
Thus, using designs
and
if the client uses Internet Explorer (8-9), you put a COOKIE on ALL subdomains from this one .
Remember this!
In my practice of researching web applications on vulnerabilities, for 2009-2011, this error occurred in 87% of web applications written in PHP.
In order to somehow reduce this figure, I decided to write this text.
It's not even about the httpOnly flag, although its use is equally important and must be applied.
Consider the sample code:
<?php setcookie('foo','bar1'); header('Set-cookie: foo1=bar11'); ?> This code obviously sets two COOKIE values with the names foo and foo1.
Now the main question - for what domain and with what flags ?
')
Referring to the source - the HTTP response of the web server:
As you can see, the server says nothing about the domain or the flags.
Then the question goes to another plane - which domain and flags will the browser choose for such a header?
In the case of Chrome (current version 18.0.1025.168), everything will be more than good and the domain will be exactly the one from which the request came. In my example, foo.bar.com:
If everything was so good, probably, there would be no text here ...
Check Internet Explorer. Since I don’t know beautiful plugins for viewing COOKIE, set cookies for the foo.com domain and output document.cookie from the bar.foo.com domain:
This is very sad. And funny from the other side.
When the server receives an HTTP response
Set-cookie: foo=bar
Internet Explorer sets foo = bar for ALL subdomains, that is, * .foo.com in my example without any flags, such as httpOnly.
The attacker, whose role I often have to play when performing audits, remains to find XSS on any subdomain of the target host, which in practice is very easy to implement.
But what about other browsers?
| Firefox | 12.0 | httpOnly | wildcard |
| Safari | 5.1.5 | httpOnly | wildcard |
| Opera | 11.62 | httpOnly | wildcard |
Thus, using designs
setcookie('foo','bar1');
and
header('Set-cookie: foo1=bar11');
if the client uses Internet Explorer (8-9), you put a COOKIE on ALL subdomains from this one .
Remember this!
Source: https://habr.com/ru/post/143276/
All Articles