Null byte injection in cookies through Javascript lead to removing all the cookies from all the next requests for a particular website
Categories
(Core :: Networking: Cookies, defect)
Tracking
()
People
(Reporter: suraj.disoja99, Assigned: baku)
References
Details
(Keywords: csectype-dos)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:70.0) Gecko/20100101 Firefox/70.0
Steps to reproduce:
Hi team,
Consider a JS snippet which accepts a value from user and sets a cookie of that value -
var CookieValue= getCookieValue();
if (CookieValue) {
var date = new Date();
date.setTime(date.getTime() + (7 * 24 * 60 * 60 * 1000));
document.cookie = "Cookie=" + CookieValue + '; expires=' + date.toUTCString(); + '; path=/';
Here, if any user injectes a null byte - %00 by sending the parameter CookieValue=%00, then this null byte is directly injected into the Mozilla Firefox storage.
Actual results:
The null byte got injected in the Mozilla storage and when a user sends any further requests to that website, The cookie header is removed from all the further request which means that the null byte may have poisoned the way Firefox handles all the cookies.
This could result in a DOS attack against any user as the cookie header is removed and the website won't be able to track the user session.
I'm not sure if this issue could be escalated or not but I'll try to look further.
Expected results:
When someone tries to inject a null byte through cookies, Mozilla firefox should sanitize the null byte before storing it as google chrome does it.
Let me know if you have any further queries or doubts.
Thanks and Regards,
Suraj Disoja
Updated•5 years ago
|
Comment 1•5 years ago
|
||
We shouldn't be storing NULL in cookies, and we certainly shouldn't be putting a NULL into an HTTP header. Or maybe you're saying that it's just missing (because we're probably using C-strings and don't copy anything in the constructed cookie string to the header after that point). Without looking any deeper seems like a self-DOS of the website, though I guess a one-time XSS attack could lead to a more permanent poisoning this way.
Updated•5 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
Updated•4 years ago
|
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ede13f270ff7 Cookie names and values must exclude NULL char, r=mayhemer,annevk
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/21882 for changes under testing/web-platform/tests
Upstream web-platform-tests status checks passed, PR will merge once commit reaches central.
Comment 7•4 years ago
|
||
bugherder |
Updated•4 years ago
|
Upstream PR merged by moz-wptsync-bot
Updated•4 years ago
|
Description
•