WebApp Sec mailing list archives

Re: cookie with empty domain field

From: Jason Ross <algorythm () gmail com>
Date: Wed, 20 Oct 2010 22:52:25 -0400

Funny you should ask, I was just playing with this a couple weeks ago =)
The nutshell version is: If there's not a path specified, IE, Firefox,
and Chrome treat the cookie as though the path were set to whatever
branch you are in (eg, if you are setting the cookie at
http://some.site.com/some/path the cookie would be pathed to /some).
That's "right", in my opinion, but how to handle cookies with no path
set does not appear to specified in any RFC (if it is, I can't find
it).

Here's some scripts I cooked up back then to demo this behaviour.
Clicking the links in order is recommended first, then play with
jumping back and forth. (The premise was the host is 'shared', with a
legit app in /sandbox/coolapp, and a malicious one in /sandbox/malapp.
There's nothing malicious about any of this content, it simply each
view page simply spits out the cookies it can see, and the set pages
set a cookie with no path.)

http://dc585.info/view.php
http://dc585.info/set.php
http://dc585.info/sandbox/view.php
http://dc585.info/sandbox/set.php
http://dc585.info/sandbox/coolapp/view.php
http://dc585.info/sandbox/coolapp/set.php
http://dc585.info/sandbox/coolapp/dir1/view.php
http://dc585.info/sandbox/coolapp/dir1/set.php
http://dc585.info/sandbox/coolapp/dir2/view.php
http://dc585.info/sandbox/coolapp/dir2/set.php
http://dc585.info/sandbox/malapp/view.php
http://dc585.info/sandbox/malapp/set.php
http://dc585.info/sandbox/malapp/dir1/view.php
http://dc585.info/sandbox/malapp/dir1/set.php
http://dc585.info/sandbox/malapp/dir2/view.php
http://dc585.info/sandbox/malapp/dir2/set.php

--
Jason



On Wed, Oct 20, 2010 at 11:39 AM, Thomas Biege <tom () electric-sheep org> wrote:

Hello everybody,

what happens to cookies with an empty domain field? I know that cookies
only having a top-level domain in it can be problemetic but did they also
leak if this field is empty?

Cheers
Thomas



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

cookie with empty domain field Thomas Biege (Oct 20)
- Re: cookie with empty domain field Jason Ross (Oct 20)