POST /admin HTTP/1.1 [...] Cookie: sid=123; lang=en HTTP Response JavaScript API (write) Subsequent HTTP Request document.cookie // sid=123; lang=en JavaScript API (read) *Attributes do not appear in requests
RFC vs new RFC style) • Both widen the scope of a cookie to all (sub)domains • The correct way to limit the scope is to not have the domain attribute • Some websites add the domain attribute for all cookies • If one of the subdomains is compromised, such cookies will be leaked to unauthorized parties
request headers • When this limit is exceeded, HTTP 413 or 431 is returned • Limited cookies injection can still result in client-side DoS • Domain & Expire attributes help persist the attack across (sub)domains.
an iframe pointing to OAuth IdP 3. It redirects to target with the authorization code 4. Server rejects the request due to large header 5. Use XSS to get the authorization code from iframe URL
domain, path) • Each cookie-key-value has their own attribute list • (Sub)domains can force a cookie with the same name to other (sub)domains • Browser sends all cookies of the same name without attributes • Server thus has no way to tell which one is from which domain/path
static • twitter.com uses auth_token for session ID and _twitter_sess for storing CSRF token • Could modify _twitter_sess with an attacker-known value and have site-wide CSRF • However it’s protected by HttpOnly
JavaScript API • Safari before version 12 has a bug that allows writing to HttpOnly cookies with JavaScript API • Cookie Tossing can also help “bypass” this flag, as you can create a cookie with the same name but different key tuple
cookie-list in the following order: * Cookies with longer paths are listed before cookies with shorter paths. * Among cookies that have equal-length path fields, cookies with earlier creation-times are listed before cookies with later creation-times.
duplicate cookies • Most servers accept the first occurrence of cookies with the same name (think of HPP) • Most browsers place cookies created earlier first
cookie-list in the following order: * Cookies with longer paths are listed before cookies with shorter paths. * Among cookies that have equal-length path fields, cookies with earlier creation-times are listed before cookies with later creation-times.
the number and size of cookies that they can store. General-use user agents SHOULD provide each of the following minimum capabilities: o At least 4096 bytes per cookie (as measured by the sum of the length of the cookie's name, value, and attributes). o At least 50 cookies per domain.
cookie is to remove it • Browsers have a limitation on how many cookies a domain can have • When there is no space, older cookies will get deleted • Drawback: it’s not always easy to know how many cookies a victim has (tracking cookies are unpredictable)
attribute • This prevents (sub)domains from forcing a cookie the current domain doesn’t want • Cookies intended for (sub)domains are still vulnerable to Cookie Tossing • Use a separate domain for user generated assets