Infosecurity
Raiting:
15

A typical error when setting COOKIE with PHP


I want to share one feature when setting COOKIE values, which is often overlooked by the web developers.
According to my experience as for research of the web application vulnerabilities for 2009-2011, this error occurred in 87% of the web applications that were written in PHP.
In order to reduce this rate, I have decided to write this article.

I will not even talk about httpOnly flag, though its use is very important and necessary.

Let’s look at the example of code:
<?php
setcookie('foo','bar1');
header('Set-cookie: foo1=bar11');
?>

This code clearly sets the two COOKIE values with the names foo and foo1.
The main question is: what are a domain and the flags?

Let’s refer to the source – web server HTTP response:
image
As we can see, the server does not say anything about the domain or the flags.
Then the question goes to another area. Which domain and flags are selected by a browser for this header?

Everything will be fine in the case of Chrome with a current version 18.0.1025.168, and the domain will be exactly like the one from which came the request. In my example, it is foo.bar.com:
image
If everything was so good, probably a text would not be here ...

Let’s check Internet Explorer. I do not know any nice plug-ins to view the COOKIE, so let’s set the cookie for the domain foo.com and produce a document.cookie from the domain bar.foo.com:
image
It’s very sad, but on the other hand it is funny.
Upon receiving Set-cookie: foo=bar
in the server HTTP response
Internet Explorer sets foo=bar for ALL subdomains, namely in my example *.foo.com does not have any flags, such as httpOnly
.

The attacker has to find XSS on any subdomain of the target host, which is very easy to implement in practice.

So what about other browsers?
Firefox 12.0 httpOnly wildcard
Safari 5.1.5 httpOnly wildcard
Opera 11.62 httpOnly wildcard

So, there are used the following structures

setcookie('foo','bar1');
and

header('Set-cookie: foo1=bar11');
In the case when the client uses Internet Explorer (8-9), the COOKIE is set for ALL subdomains.

Remember this!
ZimerMan 23 may 2014, 18:18
Vote for this post
Bring it to the Main Page
 

Comments

Leave a Reply

B
I
U
S
Help
Avaible tags
  • <b>...</b>highlighting important text on the page in bold
  • <i>..</i>highlighting important text on the page in italic
  • <u>...</u>allocated with tag <u> text shownas underlined
  • <s>...</s>allocated with tag <s> text shown as strikethrough
  • <sup>...</sup>, <sub>...</sub>text in the tag <sup> appears as a superscript, <sub> - subscript
  • <blockquote>...</blockquote>For  highlight citation, use the tag <blockquote>
  • <code lang="lang">...</code>highlighting the program code (supported by bash, cpp, cs, css, xml, html, java, javascript, lisp, lua, php, perl, python, ruby, sql, scala, text)
  • <a href="http://...">...</a>link, specify the desired Internet address in the href attribute
  • <img src="http://..." alt="text" />specify the full path of image in the src attribute