mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00

History

Translator workflow b442ae90c4 Translated to Klingon		2024-02-10 17:52:19 +00:00
..
cookie-bomb.md	Translated to Klingon	2024-02-10 17:52:19 +00:00
cookie-jar-overflow.md	Translated to Klingon	2024-02-10 17:52:19 +00:00
cookie-tossing.md	Translated to Klingon	2024-02-10 17:52:19 +00:00
README.md	Translated to Klingon	2024-02-10 17:52:19 +00:00

README.md

Cookies Hacking

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

Cookies come with several attributes that control their behavior in the user's browser. Here’s a rundown of these attributes in a more passive voice:

Expires and Max-Age

The expiry date of a cookie is determined by the Expires attribute. Conversely, the Max-age attribute defines the time in seconds until a cookie is deleted. Opt for Max-age as it reflects more modern practices.

Domain

The hosts to receive a cookie are specified by the Domain attribute. By default, this is set to the host that issued the cookie, not including its subdomains. However, when the Domain attribute is explicitly set, it encompasses subdomains as well. This makes the specification of the Domain attribute a less restrictive option, useful for scenarios where cookie sharing across subdomains is necessary. For instance, setting Domain=mozilla.org makes cookies accessible on its subdomains like developer.mozilla.org.

Path

A specific URL path that must be present in the requested URL for the Cookie header to be sent is indicated by the Path attribute. This attribute considers the / character as a directory separator, allowing for matches in subdirectories as well.

Ordering Rules

When two cookies bear the same name, the one chosen for sending is based on:

The cookie matching the longest path in the requested URL.
The most recently set cookie if the paths are identical.

SameSite

The SameSite attribute dictates whether cookies are sent on requests originating from third-party domains. It offers three settings:
Strict: Restricts the cookie from being sent on third-party requests.
Lax: Allows the cookie to be sent with GET requests initiated by third-party websites.
None: Permits the cookie to be sent from any third-party domain.

Remember, while configuring cookies, understanding these attributes can help ensure they behave as expected across different scenarios.

Request Type	Example Code	Cookies Sent When
Link	<a href="..."></a>	NotSet*, Lax, None
Prerender	<link rel="prerender" href=".."/>	NotSet*, Lax, None
Form GET	<form method="GET" action="...">	NotSet*, Lax, None
Form POST	<form method="POST" action="...">	NotSet*, None
iframe	<iframe src="..."></iframe>	NotSet*, None
AJAX	$.get("...")	NotSet*, None
Image	<img src="...">	NetSet*, None

Table from Invicti and slightly modified.
A cookie with SameSite attribute will mitigate CSRF attacks where a logged session is needed.

*Notice that from Chrome80 (feb/2019) the default behaviour of a cookie without a cookie samesite attribute will be lax (https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/).
Notice that temporary, after applying this change, the cookies without a SameSite policy in Chrome will be treated as None during the first 2 minutes and then as Lax for top-level cross-site POST request.

Cookies Flags

HttpOnly

This avoids the client to access the cookie (Via Javascript for example: document.cookie)

Bypasses

If the page is sending the cookies as the response of a requests (for example in a PHPinfo page), it's possible to abuse the XSS to send a request to this page and steal the cookies from the response (check an example in https://hackcommander.github.io/posts/2022/11/12/bypass-httponly-via-php-info-page/.
This could be Bypassed with TRACE HTTP requests as the response from the server (if this HTTP method is available) will reflect the cookies sent. This technique is called Cross-Site Tracking.
This technique is avoided by modern browsers by not permitting sending a TRACE request from JS. However, some bypasses to this have been found in specific software like sending \r\nTRACE instead of TRACE to IE6.0 SP2.
Another way is the exploitation of zero/day vulnerabilities of the browsers.
It's possible to overwrite HttpOnly cookies by performing a Cookie Jar overflow attack:

{% content-ref url="cookie-jar-overflow.md" %} cookie-jar-overflow.md {% endcontent-ref %}

It's possible to use Cookie Smuggling attack to exfiltrate these cookies

Secure

The request will only send the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTPS).

Cookies Prefixes

Cookies prefixed with __Secure- are required to be set alongside the secure flag from pages that are secured by HTTPS.

For cookies prefixed with __Host-, several conditions must be met:

They must be set with the secure flag.
They must originate from a page secured by HTTPS.
They are forbidden from specifying a domain, preventing their transmission to subdomains.
The path for these cookies must be set to /.

It is important to note that cookies prefixed with __Host- are not allowed to be sent to superdomains or subdomains. This restriction aids in isolating application cookies. Thus, employing the __Host- prefix for all application cookies can be considered a good practice for enhancing security and isolation.

Cookies Attacks

If a custom cookie contains sensitive data check it (specially if you are playing a CTF), as it might be vulnerable.

Decoding and Manipulating Cookies

Sensitive data embedded in cookies should always be scrutinized. Cookies encoded in Base64 or similar formats can often be decoded. This vulnerability allows attackers to alter the cookie's content and impersonate other users by encoding their modified data back into the cookie.

Session Hijacking

This attack involves stealing a user's cookie to gain unauthorized access to their account within an application. By using the stolen cookie, an attacker can impersonate the legitimate user.

Session Fixation

In this scenario, an attacker tricks a victim into using a specific cookie to log in. If the application does not assign a new cookie upon login, the attacker, possessing the original cookie, can impersonate the victim. This technique relies on the victim logging in with a cookie supplied by the attacker.

If you found an XSS in a subdomain or you control a subdomain, read:

{% content-ref url="cookie-tossing.md" %} cookie-tossing.md {% endcontent-ref %}

Session Donation

Here, the attacker convinces the victim to use the attacker's session cookie. The victim, believing they are logged into their own account, will inadvertently perform actions in the context of the attacker's account.

If you found an XSS in a subdomain or you control a subdomain, read:

{% content-ref url="cookie-tossing.md" %} cookie-tossing.md {% endcontent-ref %}

JWT Cookies

Click on the previous link to access a page explaining possible flaws in JWT.

JSON Web Tokens (JWT) used in cookies can also present vulnerabilities. For in-depth information on potential flaws and how to exploit them, accessing the linked document on hacking JWT is recommended.

Cross-Site Request Forgery (CSRF)

This attack forces a logged-in user to execute unwanted actions on a web application in which they're currently authenticated. Attackers can exploit cookies that are automatically sent with every request to the vulnerable site.

Empty Cookies

(Check further details in theoriginal research) Browsers permit the creation of cookies without a name, which can be demonstrated through JavaScript as follows:

document.cookie = "a=v1"
document.cookie = "=test value;" // Setting an empty named cookie
document.cookie = "b=v2"

Hacking with Cookies

The result in the sent cookie header is a=v1; test value; b=v2;. Intriguingly, this allows for the manipulation of cookies if an empty name cookie is set, potentially controlling other cookies by setting the empty cookie to a specific value:

Cookies jatlh

Sent cookie header vItlhutlh a=v1; test value; b=v2;. QonglIj, vaj jatlh cookie vItlhutlh, vItlhutlh empty cookie vItlhutlh, vItlhutlh vItlhutlh cookie vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhut

function setCookie(name, value) {
document.cookie = `${name}=${value}`;
}

setCookie("", "a=b"); // Setting the empty cookie modifies another cookie's value

Chrome Bug: Unicode Surrogate Codepoint Issue

In Chrome, if a Unicode surrogate codepoint is part of a set cookie, document.cookie becomes corrupted, returning an empty string subsequently:

tlhIngan Hol: Unicode Surrogate Codepoint vItlhutlh

vaD Chrome, Unicode Surrogate Codepoint vItlhutlh cookie vItlhutlh, document.cookie vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlhutlh, vItlh

document.cookie = "\ud800=meep";

(Check further details in the original research) Several web servers, including those from Java (Jetty, TomCat, Undertow) and Python (Zope, cherrypy, web.py, aiohttp, bottle, webob), mishandle cookie strings due to outdated RFC2965 support. They read a double-quoted cookie value as a single value even if it includes semicolons, which should normally separate key-value pairs:

qo'noS jatlhqa' qeylIS

(original research Daq yIlo'lu'taHvIS) Java (Jetty, TomCat, Undertow) 'ej Python (Zope, cherrypy, web.py, aiohttp, bottle, webob) web serverpu'chugh cookie strings vItlhutlh. vItlhutlh cookie value cha'logh semicolons, vaj key-value pairs separate normally should, cha'logh double-quoted cookie value vItlhutlh single value vItlhutlh.

RENDER_TEXT="hello world; JSESSIONID=13371337; ASDF=end";

(Check further details in the original research) The incorrect parsing of cookies by servers, notably Undertow, Zope, and those using Python's http.cookie.SimpleCookie and http.cookie.BaseCookie, creates opportunities for cookie injection attacks. These servers fail to properly delimit the start of new cookies, allowing attackers to spoof cookies:

Undertow expects a new cookie immediately after a quoted value without a semicolon.
Zope looks for a comma to start parsing the next cookie.
Python's cookie classes start parsing on a space character.

This vulnerability is particularly dangerous in web applications relying on cookie-based CSRF protection, as it allows attackers to inject spoofed CSRF-token cookies, potentially bypassing security measures. The issue is exacerbated by Python's handling of duplicate cookie names, where the last occurrence overrides earlier ones. It also raises concerns for __Secure- and __Host- cookies in insecure contexts and could lead to authorization bypasses when cookies are passed to back-end servers susceptible to spoofing.

Extra Vulnerable Cookies Checks

Basic checks

The cookie is the same every time you login.
Log out and try to use the same cookie.
Try to log in with 2 devices (or browsers) to the same account using the same cookie.
Check if the cookie has any information in it and try to modify it
Try to create several accounts with almost the same username and check if you can see similarities.
Check the "remember me" option if it exists to see how it works. If it exists and could be vulnerable, always use the cookie of remember me without any other cookie.
Check if the previous cookie works even after you change the password.

Advanced cookies attacks

If the cookie remains the same (or almost) when you log in, this probably means that the cookie is related to some field of your account (probably the username). Then you can:

Try to create a lot of accounts with usernames very similar and try to guess how the algorithm is working.
Try to bruteforce the username. If the cookie saves only as an authentication method for your username, then you can create an account with username "Bmin" and bruteforce every single bit of your cookie because one of the cookies that you will try will the one belonging to "admin".
Try Padding Oracle (you can decrypt the content of the cookie). Use padbuster.

Padding Oracle - Padbuster examples

padbuster <URL/path/when/successfully/login/with/cookie> <COOKIE> <PAD[8-16]>
# When cookies and regular Base64
padbuster http://web.com/index.php u7bvLewln6PJPSAbMb5pFfnCHSEd6olf 8 -cookies auth=u7bvLewln6PJPSAbMb5pFfnCHSEd6olf

# If Base64 urlsafe or hex-lowercase or hex-uppercase --encoding parameter is needed, for example:
padBuster http://web.com/home.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6
7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6 8 -encoding 2

Padbuster vItlhutlh. vaj vItlhutlh vItlhutlh vaj vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vIt

padbuster http://web.com/index.php 1dMjA5hfXh0jenxJQ0iW6QXKkzAGIWsiDAKV3UwJPT2lBP+zAD0D0w== 8 -cookies thecookie=1dMjA5hfXh0jenxJQ0iW6QXKkzAGIWsiDAKV3UwJPT2lBP+zAD0D0w== -plaintext user=administrator

CBC-MAC

QI'ya'

cookie vItlhutlh vaj vItlhutlh je CBC vay' vaj, value vItlhutlh je CBC vay' vaj signature. vItlhutlh value integrity vItlhutlh signature vay' je CBC vay' vaj value. IV null vector vay' je vItlhutlh, integrity checking vItlhutlh vulnerable vay' je.

The attack

administ username signature vItlhutlh = t
rator\x00\x00\x00 XOR t username signature vItlhutlh = t'
cookie vItlhutlh value administrator+t' vItlhutlh (t' valid signature vay' (rator\x00\x00\x00 XOR t) XOR t = rator\x00\x00\x00

ECB

cookie vItlhutlh ECB vay' vaj vulnerable vay' je.
cookie vItlhutlh log vay' vaj cookie vItlhutlh vItlhutlh.

QaH vaj attack:

2 users vItlhutlh create vaj data vItlhutlh (username, password, email, etc.) vaj pattern vItlhutlh cookie vItlhutlh vItlhutlh vItlhutlh

user vItlhutlh create vaj "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" username vaj pattern vItlhutlh cookie vItlhutlh (ECB encrypts vay' vaj key vItlhutlh block vItlhutlh vItlhutlh, username encrypts vay' vaj encrypted bytes appear vay' je).

pattern vItlhutlh vItlhutlh (block size vay' vaj). So, "a"*(block size) vaj "admin" username vItlhutlh. vaj, "a" block vItlhutlh encrypted pattern vay' cookie vItlhutlh vItlhutlh. vaj cookie vItlhutlh username "admin" vItlhutlh.

References