AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

HTTP Cookie Injection

The attacker can trick legitimate users’ browsers or applications to believe forged cookies as if it is served from the legitimate server code

Severity

High

Fix Cost

Medium

Trust Level

Low

Cookies are one of the most controversial mechanisms of web technologies. The definitive specification was published in April 2011, nearly 17 years of its first usage.

Cookies are the way to “remember” site visitors and server end applications trust and process them for several aims.

Therefore, if an attacker manages to modify cookie contents in HTTP responses, that ultimately means the possibility of manipulating server behaviour towards a number of weaknesses.

One such a weakness is present in the code below;

                            
public class BooksController : ApiController
{
[HttpPost]
public HttpResponseMessage Add(Book book)
{
BookService.AddtoChart(book);
   	 
Cookie cookie = new Cookie("lastbookname", book.Name);
response.addCookie(cookie);    
   	 
// return
}
            
            

Sending book names including CR/LF characters, such as %0d%0a, would enable to create extra HTTP response headers. Using these extra HTTP response headers, attackers can create fake content for HTTP caches, therefore, for end-users utilizing these caches.

There are other possible ways of creating weaknesses and another piece is shown below.

            
public class RemoteCheckController : ApiController
{
[HttpPost]
public HttpResponseMessage Check(Credentials credentials)
{
HttpCookie whoCookie = new HttpCookie("loginCookie");
Response.Cookies["who"].Value = credentials.username; 
Response.Cookies.Add(whoCookie);
// return
}
                

Cookies are one of the most controversial mechanisms of web technologies. The definitive specification was published in April 2011, nearly 17 years of its first usage.

Cookies are the way to “remember” site visitors and server end applications trust and process them for several aims.

Therefore, if an attacker manages to modify cookie contents in HTTP responses, that ultimately means the possibility of manipulating server behaviour towards a number of weaknesses.

One such a weakness is present in the code below;


@Controller
public class BooksController {

@RequestMapping(method = RequestMethod.POST)
public String Add(Book book, HttpServletResponse response) {
bookRepository.AddtoChart(book);
Cookie myCookie = new Cookie("lastbookname", book.Name);
response.addCookie(myCookie);    
// return
}

		

Sending book names including CR/LF characters, such as %0d%0a, would enable to create extra HTTP response headers. Using these extra HTTP response headers, attackers can create fake content for HTTP caches, therefore, for end-users utilizing these caches.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!