A typical error when setting COOKIE with PHP
I want to share one feature when setting COOKIE values, which is often overlooked by the web developers.
According to my experience as for research of the web application vulnerabilities for 2009-2011, this error occurred in 87% of the web applications that were written in PHP.
In order to reduce this rate, I have decided to write this article.
I will not even talk about httpOnly flag, though its use is very important and necessary.
Let’s look at the example of code:
This code clearly sets the two COOKIE values with the names foo and foo1.
The main question is: what are a domain and the flags?
Let’s refer to the source – web server HTTP response:
As we can see, the server does not say anything about the domain or the flags.
Then the question goes to another area. Which domain and flags are selected by a browser for this header?
Everything will be fine in the case of Chrome with a current version 18.0.1025.168, and the domain will be exactly like the one from which came the request. In my example, it is foo.bar.com:
If everything was so good, probably a text would not be here ...
Let’s check Internet Explorer. I do not know any nice plug-ins to view the COOKIE, so let’s set the cookie for the domain foo.com and produce a document.cookie from the domain bar.foo.com:
It’s very sad, but on the other hand it is funny.
in the server HTTP response
Internet Explorer sets foo=bar for ALL subdomains, namely in my example *.foo.com does not have any flags, such as httpOnly.
The attacker has to find XSS on any subdomain of the target host, which is very easy to implement in practice.
So what about other browsers?
Firefox 12.0 httpOnly wildcard
Safari 5.1.5 httpOnly wildcard
Opera 11.62 httpOnly wildcard
So, there are used the following structures
In the case when the client uses Internet Explorer (8-9), the COOKIE is set for ALL subdomains.
|Vote for this post
Bring it to the Main Page