Closed Bug 1595661 Opened 5 years ago Closed 4 years ago

Null byte injection in cookies through Javascript lead to removing all the cookies from all the next requests for a particular website

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Version:
70 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox70 --- wontfix
firefox71 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- wontfix
firefox75 --- fixed

People

(Reporter: suraj.disoja99, Assigned: baku)

References

Details

(Keywords: csectype-dos)

Attachments

(2 files)

Mozilla.PNG
64.10 KB, image/png
Details
Bug 1595661 - Cookie names and values must exclude NULL char, r?mayhemer
47 bytes, text/x-phabricator-request
Details | Review
Attached image Mozilla.PNG

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

Hi team,
Consider a JS snippet which accepts a value from user and sets a cookie of that value -
var CookieValue= getCookieValue();
if (CookieValue) {
var date = new Date();
date.setTime(date.getTime() + (7 * 24 * 60 * 60 * 1000));
document.cookie = "Cookie=" + CookieValue + '; expires=' + date.toUTCString(); + '; path=/';

Here, if any user injectes a null byte - %00 by sending the parameter CookieValue=%00, then this null byte is directly injected into the Mozilla Firefox storage.

Actual results:

The null byte got injected in the Mozilla storage and when a user sends any further requests to that website, The cookie header is removed from all the further request which means that the null byte may have poisoned the way Firefox handles all the cookies.
This could result in a DOS attack against any user as the cookie header is removed and the website won't be able to track the user session.
I'm not sure if this issue could be escalated or not but I'll try to look further.

Expected results:

When someone tries to inject a null byte through cookies, Mozilla firefox should sanitize the null byte before storing it as google chrome does it.
Let me know if you have any further queries or doubts.

Thanks and Regards,
Suraj Disoja

Group: firefox-core-security → network-core-security
Component: Untriaged → Networking: Cookies
Product: Firefox → Core

We shouldn't be storing NULL in cookies, and we certainly shouldn't be putting a NULL into an HTTP header. Or maybe you're saying that it's just missing (because we're probably using C-strings and don't copy anything in the constructed cookie string to the header after that point). Without looking any deeper seems like a self-DOS of the website, though I guess a one-time XSS attack could lead to a more permanent poisoning this way.

Group: network-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-dos

Honza, can you take a look?

Flags: needinfo?(honzab.moz)
Assignee: nobody → amarchesini
Status: NEW → ASSIGNED
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ede13f270ff7
Cookie names and values must exclude NULL char, r=mayhemer,annevk
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/21882 for changes under testing/web-platform/tests
Upstream web-platform-tests status checks passed, PR will merge once commit reaches central.

https://hg.mozilla.org/mozilla-central/rev/ede13f270ff7

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Upstream PR merged by moz-wptsync-bot
Flags: needinfo?(honzab.moz)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: