Follow Cyber Kendra on Google News! | WhatsApp | Telegram

Cookie Sandwich - New Attack Steals HttpOnly Cookies

New Cookie-Based Attack Bypasses HttpOnly Protections, Apache Tomcat Vulnerable to this Cookie Manipulation Attack.

cookie sandwich technique

A concerning new web security vulnerability dubbed "Cookie Sandwich" has been discovered that allows attackers to bypass HttpOnly cookie protections on certain web servers. 

Security researcher Zakhar Fedotkin (@d4d89704243) from Port Swigger, detailed how this technique exploits legacy cookie handling features to potentially expose sensitive session data.

The vulnerability stems from how web servers process cookies when special characters are embedded within them. By strategically placing quotes and legacy cookies, attackers can manipulate the server into misinterpreting cookie header structures, potentially exposing HttpOnly cookies that are normally inaccessible to client-side scripts.

The attack takes advantage of quirks in how Chrome handles legacy cookies, allowing attackers to create cookie names starting with "$" through JavaScript. 

The researcher demonstrated how this can be combined with Apache Tomcat's support for both modern (RFC6265) and legacy (RFC2109) cookie standards to execute the attack.

In a proof-of-concept, Fedotkin successfully exploited the vulnerability against a tracking domain that reflected session parameters. The attack chain involved:

  1. Leveraging a reflected XSS vulnerability using an unpatched event handler
  2. Manipulating cookie order through careful path attribute configuration
  3. Using the "$Version" cookie to force legacy parsing mode
  4. Capturing the exposed HttpOnly PHPSESSID cookie from JSON responses

The researcher noted this technique was particularly effective against analytics systems that handle session tracking, as they often reflect cookie values without proper validation.

"Analytics often employ cookies or URL parameters to monitor user actions, and rarely validate the tracking ID. This makes them a perfect target for the cookie sandwich attack."

The vulnerability affects multiple versions of Apache Tomcat (8.5.x, 9.0.x, and 10.0.x) that support the legacy RFC2109 standard by default.

Impact of Cookie Sandwich Flaw

The implications of this vulnerability extend beyond just session hijacking. Security experts note that the Cookie Sandwich technique could impact a wide range of web applications, particularly those using legacy frameworks or maintaining backward compatibility with older cookie standards.

The researcher's detailed proof-of-concept included a sophisticated JavaScript exploit that demonstrates how attackers could automate the attack. 

malicious http request

The exploit creates a hidden iframe, manipulates cookie attributes, and leverages Cross-Origin Resource Sharing (CORS) requests to extract protected cookie values. This implementation shows how seemingly benign features like analytics tracking can be weaponized to compromise session security.

A particularly noteworthy aspect of the vulnerability is its effectiveness against Python frameworks, which handle quoted strings differently than other platforms. In these cases, the attack doesn't even require the special $Version attribute, making it more straightforward to exploit. 

The researcher demonstrated how Python frameworks automatically encode special characters in cookies, leading to a different but equally vulnerable parsing behavior.

GET / HTTP/1.1
Cookie: param1="start; sessionId=secret; param2=end"
 =>
HTTP/1.1 200 OK
Set-Cookie: param1="start\073 sessionId=secret\073 param2=end";

Mitigation Guide

To protect against this attack vector, web developers are advised to carefully review their cookie parsing implementations and understand how their frameworks handle different cookie standards. Special attention should be paid to legacy compatibility features that could potentially be abused.

The full technical details of the vulnerability have been documented to help developers understand and mitigate potential risks in their applications.

Post a Comment