WebApp Sec mailing list archives
Re: cookie with empty domain field
From: Jason Ross <algorythm () gmail com>
Date: Wed, 20 Oct 2010 22:52:25 -0400
Funny you should ask, I was just playing with this a couple weeks ago =) The nutshell version is: If there's not a path specified, IE, Firefox, and Chrome treat the cookie as though the path were set to whatever branch you are in (eg, if you are setting the cookie at http://some.site.com/some/path the cookie would be pathed to /some). That's "right", in my opinion, but how to handle cookies with no path set does not appear to specified in any RFC (if it is, I can't find it). Here's some scripts I cooked up back then to demo this behaviour. Clicking the links in order is recommended first, then play with jumping back and forth. (The premise was the host is 'shared', with a legit app in /sandbox/coolapp, and a malicious one in /sandbox/malapp. There's nothing malicious about any of this content, it simply each view page simply spits out the cookies it can see, and the set pages set a cookie with no path.) http://dc585.info/view.php http://dc585.info/set.php http://dc585.info/sandbox/view.php http://dc585.info/sandbox/set.php http://dc585.info/sandbox/coolapp/view.php http://dc585.info/sandbox/coolapp/set.php http://dc585.info/sandbox/coolapp/dir1/view.php http://dc585.info/sandbox/coolapp/dir1/set.php http://dc585.info/sandbox/coolapp/dir2/view.php http://dc585.info/sandbox/coolapp/dir2/set.php http://dc585.info/sandbox/malapp/view.php http://dc585.info/sandbox/malapp/set.php http://dc585.info/sandbox/malapp/dir1/view.php http://dc585.info/sandbox/malapp/dir1/set.php http://dc585.info/sandbox/malapp/dir2/view.php http://dc585.info/sandbox/malapp/dir2/set.php -- Jason On Wed, Oct 20, 2010 at 11:39 AM, Thomas Biege <tom () electric-sheep org> wrote:
Hello everybody, what happens to cookies with an empty domain field? I know that cookies only having a top-level domain in it can be problemetic but did they also leak if this field is empty? Cheers Thomas This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- cookie with empty domain field Thomas Biege (Oct 20)
- Re: cookie with empty domain field Jason Ross (Oct 20)