Full Report
Cookies are a core part of browser mechanics. Understanding how they work is important when escalating existing issues. In this article, the author dives into quirks of various frameworks and browsers on cookies. First, when are cookies sent? This depends on the domain attribute of a cookie. If the domain is set for example.com, then all subdomains will send this as well. If the cookie is set from a subdomain onto the parent, it will be sent with the parent as well. It's interesting that this is allowed to be set. Cookies are ordered on Chrome and Firefox by first the path length then the last updated time. So, if you have a vulnerability that allows you to set a cookie, you can get yours parsed first by setting it with a longer path. Browsers allow for cookies with an empty name. For instance, =test value; is a valid cookie that can be set. When rendered, this will break the parsing of the cookies by most web servers. So, we can set arbitrary cookies that are not secure or host cookies. A new attack vector presented in this post is cookie smuggling. The idea is to break the parsing of cookies when you have control over some of them. If you can add a double quote (") to a cookie, then some items will follow the RFC2616 standard while others will follow RFC2965. Why does this matter? The double quote changes the meaning of the cookies being parsed. Using this HTTPOnly cookies could be smuggled or some cookies could be outright set. Going deeper into the parsing issues, we need to ensure that everything parses cookies the same. In Java Undertow, they found that that parsing for a cookie begins right after a double quote. So, if we have a cookie with double quotes, it will then parse the rest of the data as our cookie, smuggling in our cookie! Python stdlib http.cookie.SimpleCookie and http.cookie.BaseCookie suffer from a same issue. If a space is found in the cookie, then it will start parsing this as a new cookie, using it as a delimiter. Since the Python library has this issue, all frameworks using it are vulnerable as well. Cookie injection is bad where cookie based CSRF protections are used, spoofing secure or host cookies and authorization bypasses where things check for specific cookies. Although they contacted many of the projects, only Jetty actually responded. So, many of these issues will exist going forwards! Overall, good article on cookie quirks that I had no idea about!
Analysis Summary
# Tool/Technique: Cookie Smuggling and Injection Vulnerabilities
## Overview
This summary details various web application vulnerabilities stemming from inconsistencies in how browsers encode and how different web frameworks and libraries parse HTTP Cookie headers. The core issue revolves around exploiting differences in cookie parsing rules (often between older RFCs like RFC2616 and newer ones like RFC6265) or unexpected delimiters (like quotes, spaces, or commas) within cookie strings. The primary goal of these exploits—referred to as Cookie Smuggling or Cookie Injection—is to hijack the parsing of subsequent cookie data, potentially leading to the exfiltration of sensitive cookies (like `HttpOnly` session tokens), bypassing CSRF protections, or achieving authorization bypasses.
## Technical Details
- Type: Technique
- Platform: Web Servers/Frameworks (Java/Python)
- Capabilities: Exploiting parser differences to inject or smuggle data within HTTP Cookie headers, leading to data leakage or session hijacking.
- First Seen: The context implies recent disclosure of these specific parsing flaws (May 2023), though the underlying RFC discrepancies have existed longer.
## MITRE ATT&CK Mapping
- T1539 - Steal Application Access Token (If session cookies are exfiltrated)
- T1539.001 - Steal Cookie
- T1560 - Archive Collected Data (As sensitive cookie data is often bundled for exfiltration)
- T1560.001 - Archive via Utility
- T1071 - Application Layer Protocol (Exploiting HTTP Protocol nuances)
- T1071.001 - Web Protocols (HTTP/HTTPS)
- T1566 - Phishing (If used in conjunction with XSS to exfiltrate data)
- T1566.001 - Spearphishing Attachment (Less direct, but data may be exfiltrated via covert channels)
*(Note: Direct mappings are difficult as this is a vulnerability exploitation technique rather than a dedicated offensive tool.)*
## Functionality
### Core Capabilities
- **Cookie Smuggling via Double Quotes (`"`):** Exploiting servers that adhere to older standards (RFC2616) regarding quoted strings. When a cookie value starts with a double quote, parsers continue consuming the header until the end of the entire string, treating subsequent valid cookie pairs (even those separated by semicolons) as part of the initial cookie's value.
- **Cookie Injection via Delimiters (Space, Comma):** Exploiting parsers that incorrectly use delimiters like a space (Python `SimpleCookie`) or a comma (Zope) as separators between cookie key-value pairs, enabling injection of new, arbitrary cookies.
### Advanced Features
- **Sensitive Cookie Exfiltration:** Using Cookie Smuggling to include `HttpOnly` cookies (like `JSESSIONID`) within the value of a non-HttpOnly cookie that is rendered on the page (e.g., a header cookie like `RENDER_TEXT`), allowing an XSS payload to read the smuggled session token.
- **CSRF Bypass:** Injecting a value for legitimate CSRF token cookies, thereby bypassing application-level CSRF protection mechanisms.
- **Spoofing of Secure/Host Cookies:** Injecting values that appear to originate from secure contexts (`__Secure-` or `__Host-` prefixed cookies) if backend servers incorrectly trust or validate these headers post-initial parsing.
## Indicators of Compromise
- File Hashes: N/A (This is a parsing flaw, not specific malware.)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Increased outbound traffic from pages that process user-controlled inputs in headers, particularly if sensitive cookies are being transmitted to an attacker-controlled endpoint via an XSS payload executed post-smuggling. (Defanged example: `attacker-server[.]com`)
- Behavioral Indicators: Web server logs showing abnormally long or unusually formatted Cookie header values being parsed into single entities, especially when containing double quotes or unexpected delimiters.
## Associated Threat Actors
The article does not name specific threat actors, but vulnerabilities exploiting web application parsing logic are often leveraged by attackers involved in general web application compromise, session hijacking, and data theft.
## Detection Methods
- **Signature-based detection:** Signatures targeting specific non-compliant cookie header formats sent by browsers or specifically crafted by an attacker (e.g., headers containing semi-colon outside of expected positions in quoted strings).
- **Behavioral detection:** Monitoring for application behavior where sensitive session data appears to be reflected in non-secure locations or transmitted inappropriately.
- **YARA rules:** Not directly applicable unless a specific piece of custom exploit tooling is used.
## Mitigation Strategies
- **Strict Input Validation and Sanitization:** Ensuring that all inbound cookie strings are strictly validated against modern standards (RFC6265).
- **Library Updates:** Updating or patching affected web server frameworks and standard libraries to use parsers compliant with modern RFCs. (e.g., Jetty released fixes addressing related issues, CVE-2023-26049).
- **Path Isolation/Prefixing:** Using `__Host-` prefixed cookies when possible, as they cannot be sent to subdomains or superdomains, reducing external collision surface.
- **Secure Configuration Review:** Reviewing CSRF protection mechanisms to ensure they do not rely solely on easily injectable cookies without additional context checks.
## Related Tools/Techniques
- **HTTP Request Smuggling (e.g., CL.TE, TE.CL):** Conceptually similar in that different parsers interpret the end of a request body differently, but Cookie Smuggling specifically targets the HTTP `Cookie` header parsing logic, not request body length delineation.
- **Cookie Spoofing/Injection:** General term for manipulating cookie values in transit or via injection vectors.