Open Bug 1888847 Opened 3 months ago Updated 1 month ago

DevTools Storage inspector cookie table rendering issue/misalignment with tall characters

Categories

(DevTools :: Storage Inspector, defect, P3)

Product:
DevTools
Component:
Storage Inspector
Type:
defect

Tracking

(Not tracked)

People

(Reporter: matan.honig2, Unassigned, Mentored)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-spoof, good-first-bug, reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?][lang=css])

Attachments

(3 files)

cookies_POC.html
1.51 KB, text/html
Details
Screenshot running the PoC
345.62 KB, image/png
Details
cookies_screenshot.png
27.07 KB, image/png
Details
Attached file cookies_POC.html

I was able to reproduce the vulnerability also in Windows 10, Windows 11 and Fedora Linux. Firefox version: 123.0.1

The issue is: an attacker site can use set-cookie to "log-inject" the developer-console cookie table (Storage>Cookies) by using tall Unicode characters.
Assuming an attacker was able to control (XSS or subdomain takeover) the victim website, and victim website has a specific Cookie which is Http-only, so the user can look at it. The attacker might use this technic to bypass cookies table layer of protection, and "inject" his value into the table in front of the victim value.

Run the POC HTML file with an HTTP server (e.g. python -m http.server). The POC show how an attacker can "inject" true into a cookie that suppose to be false without changing the cookie value.

This is more dangerous than it seems, considering Firefox uses a weak cookie system across dev tool profiles: if you have the same website opened both in your normal profile and in your "private browsing" mode. The cookies are not shared to the website, however, if you open the table in the private tab, and add cookie from the normal mode, you'll see it also in the "private browsing" table (once again, the cookies themselves don't share between the two, just the table).

Flags: sec-bounty?

(In reply to matan.honig2 from comment #0)

This is more dangerous than it seems, considering Firefox uses a weak cookie system across dev tool profiles: if you have the same website opened both in your normal profile and in your "private browsing" mode. The cookies are not shared to the website, however, if you open the table in the private tab, and add cookie from the normal mode, you'll see it also in the "private browsing" table (once again, the cookies themselves don't share between the two, just the table).

This is known as bug 1640118.

I can't really reproduce the original issue as described and am struggling to understand what you think is a security problem here (even if the storage inspector table is buggy).

Can you clarify?

Flags: needinfo?(matan.honig2)
Component: Security → Storage Inspector
Product: Firefox → DevTools
Summary: Security: Cookie CR/LF injection → DevTools Storage inspector cookie table injection misrepresents what cookies are present

Yes. It's strange you can't reproduce the original issue with my POC. I screenshotted it, but I can't upload images here. on each OS I test on, the "true" was close to the "IsSecure" (so it looks like "IsSecure" was "true"). Maybe it's the font.

From a security viewpoint, it can be useful for the attacker to disable the ability of the user to detect and recognize unknown cookies. For example, if the attacker has an XSS on a website (or on a subdomain), and the victim enters it, but the attacker cannot control the http-only cookies, it may be useful for the attacker to mislead the user to make it seem like another cookie, e.g., a lot of sites use an http-only cookie like "YOUR_TOKEN_SECRET_PLEASE_DONT_SHARE", and the attacker can use some limited XSS on a subdomain to make the cookie name look more like "public_username", to bypass this level of protection. (The mention of the cookie bug in a private profile is to say that it can happen even if the user opens the vulnerable subdomain in a private profile)

Flags: needinfo?(matan.honig2)
Attached image cookies_screenshot.png

In your picture. and even in Gijs's, I see that the cookie values are taller than the other cells in the row and are increasingly shifted down. How much likely depends heavily on OS and font. Is that what you're reporting here? That won't affect normal users (they shouldn't be looking in here), and developers who are debugging their sites will likely notice all the extra cookies you had to spam in there to achieve this effect.

Keywords: csectype-spoof
See Also: → 1640118

This does not need to be hidden. It's a rendering bug

Group: firefox-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: DevTools Storage inspector cookie table injection misrepresents what cookies are present → DevTools Storage inspector cookie table rendering issue/misalignment with tall characters
Flags: sec-bounty? → sec-bounty-

We could try to fix a height in the class for the table cell in storage.css: https://searchfox.org/mozilla-central/source/devtools/client/themes/storage.css

This should fix the issue. Would be a good first bug, probably just a css fix, maybe add a small test to check that all cells have the same height even with special characters.

Mentor: nchevobbe
Severity: -- → S3
Keywords: good-first-bug
Priority: -- → P3
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][lang=css]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: