3 cookie related CVEs!!
Back in June my team and I found a vulnerability in the way multiple frameworks/languages parse cookies which could allow a potential attacker to bypass cookie prefixes. At its core the vulnerability exploits the fact that these languages decode the entire cookie string, which includes the name of the cookie. In most cases that’s fine however in some unique cases certain assumptions are made around the naming of cookies which this exploit is able to bypass. Rails (rack), Dotnet and PHP were all affected.
In each of the affected languages the flaw allowed for a
__%53ecure- cookie to be set without meeting the required attributes (I.e. set without HTTPS, from root domain, or from a secure page). This means a malicious cookie set by an attacker could potentially craft a malicious
__%48ost- and set it on their victim. Note: another exploit such as XSS would be required to actually set the cookie. What makes this dangerous is that an XSS vulnerability on a subdomain could even be used, bypassing any assumptions the server has around the cookie, for example
__Host- cookies only being set on the parent domain while
__%48ost cookies can be set anywhere.
If an attacker had XSS on a subdomain they could use the following snippet to set a malicious
__%48ost- cookie that would be read by the parent domain as a
__Host- cookie. Then the vulnerable language would decode the cookie and treat it as a
__Host- prefixed cookie:
document.cookie = "__%48ost-evil=evil; domain=.example.com";
This is the example test case I submitted to rails to catch this issue. Similar tests were also submitted to PHP and Dotnet:
describe Rack::Utils, "malicious cookie" do
Ultimately this vulnerability lead to 3 CVEs:
Thanks to my team at GitHub for helping me identify this issue! Thanks to the Rails, PHP and Microsoft dotnet teams for the fixes!