New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 701819 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Mar 2017
Cc:
mkwst@chromium.org
elawrence@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Non-secure origins can set cookies that overshadow secure cookies

Reported by djohans...@cigital.com, Mar 15 2017 
VULNERABILITY DETAILS
A HTTP response from a non-secure origin (e.g., http://www.example.com) can 
set a cookie with the same name as an existing cookie from a secure origin 
(e.g., https://www.example.com: Set-Cookie: _csurf=abc123...; Path=/, secure; HttpOnly) 
by specifying a more specific path (e.g., _csurf=attacker_value; Path=/submit). 
According to 'Strict secure cookie', this should not be possible as the new 
cookie's path overshadows part of an existing secure cookie's path.
Chrome will however store both cookies, and the value from the non-secure origin will 
overshadow the 'secure' cookie (e.g., being sent first) when sent to a route 
with the specific path. This can be abused by an attacker with a privileged 
network position to perform a MITM attack and inject HTTP responses that 
effectively 'overwrites' secure cookies for a target site and hence enables 
various attacks that rely on compromising the integrity of a site's cookies.
Two examples of attacks that this bug enables is forcing a cookie with an attacker's 
session id upon a user for a session fixation attack (when server doesn't change session id
after authentication) or bypassing CSRF defences based on the double-submit cookie 
pattern. 

Please note that as most sites would default the cookie path to / rather
than specific endpoints, an attacker can exploit this in a majority of instances.

VERSION
Chrome Version: Version 56.0.2924.76 Built on Ubuntu , running on Ubuntu 16.04 (64-bit) (stable)
Operating System: Ubuntu 16.04.2 LTS (64-bit)

REPRODUCTION CASE
1. Visit a web page on secure origin (e.g., https://www.example.com/) that sets a cookie marked as 'secure' 
2. Open Chrome developer tools and observe that a cookie is set for the path / and marked as 'secure'
3. Generate a request to the same web page but with an insecure protocol (e.g., http://www.example.com) 
4. Add a Set-Cookie header to the response from this non-secure origin with the same name as the cookie set in step 1, 
but with a more specific path (e.g., Path=/submit)
5. Navigate to the specific path set in step 4 above over the secure channel (e.g., https://www.example.com/submit) and 
observe in the developer tools that two cookies with the same name are set (see attached file '1. chrome_cookie_jar.png')
6. Inspecting the request headers through the network tab in developer tools also confirms that 
the cookie set from the non-secure origin is sent as the first value, effectively
shadowing the 'secure' cookie of the same name. (see attached file '2. chrome_req_headers.png')

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
(Not applicable - no crash)
1. chrome_cookie_jar.png
47.1 KB View Download
2. chrome_req_headers.png
37.1 KB View Download

Comment 1 by djohans...@cigital.com, Mar 15 2017 

Adding a sequence diagram showing how one attack scenario can exploit this to bypass a CSRF defence based on double-submit cookies (verified with an AngularJS app and csurf middleware in cookie-mode on Node.js)
mitm-set-cookie-sequence.png
89.5 KB View Download

Comment 2 by elawrence@chromium.org, Mar 15 2017

Cc: mkwst@chromium.org
Labels: Needs-Feedback
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01

Launch bug: https://bugs.chromium.org/p/chromium/issues/detail?id=568188 suggests that this should be on-by-default as of Chrome 58:

commit a26e439d02baa9514b09c63 was:
  initially in 58.0.2995.0

The status page: https://www.chromestatus.com/feature/4506322921848832 notes that this feature was enabled behind a flag in Chrome 52.

Can you try reproducing your issue on the latest Chrome Unstable build?

Comment 3 by elawrence@chromium.org, Mar 15 2017

Components: Internals>Network>Cookies
I'm not able to reproduce the finder's report on Chrome 59 using this demo: https://fiddlerbook.com/test/cookie/LeaveSecureAlone.aspx

Comment 4 by djohans...@cigital.com, Mar 15 2017 

Just tried on Chrome Version 58.0.3029.19 dev (64-bit), and it's true that I no longer can set the cookie on a more specific path, so it seems fixed in that regard.

However, I discovered that the opposite is possible, e.g., if the secure cookie is set for Path=/submit, I am able to later set a cookie with the same name for Path=/ from a non-secure origin. Attached a screenshot showing these.

Note that this also applies to the stable release (56.0.2924.76) mentioned in the initial report. Although this may not be as severe since the secure cookie would take precedence for the specific path it was set, I'm still not sure if this is the intended behavior or a bug?
chrome_unstable_cookie_shadowing.png
18.2 KB View Download
Project Member

Comment 5 by sheriffbot@chromium.org, Mar 15 2017

Cc: elawrence@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by djohans...@cigital.com, Mar 15 2017 

FWIW, Firefox appears to do the same in this case, e.g., a broader path attribute can be specified for a cookie from a non-secure origin for an existing secure cookie having a more specific path.

Comment 7 Deleted

Comment 8 by elawrence@chromium.org, Mar 15 2017

Labels: -Restrict-View-SecurityTeam allpublic
Status: WontFix (was: Unconfirmed)
I believe this is working as expected. From the spec:

  4.  The "path" of the newly created cookie path-matches the
      "path" of the existing cookie.

  Note: The "path" comparison is not symmetric, ensuring only
  that a newly-created non-secure cookie does not overlay an
  existing secure cookie, providing some mitigation against
  cookie fixing attacks.  That is, given an existing secure
  cookie named "a" with a "path" of "/login", a non-secure
  cookie named "a" could be set for a "path" of "/" or "/foo",
  but not for a "path" of "/login" or "/login/en".

In Chrome's code:

// Checks a looser set of equivalency rules than 'IsEquivalent()' in order
// to support the stricter 'Secure' behaviors specified in
// https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone#section-3
//
// Returns 'true' if this cookie's name matches |ecc|, and this cookie is
// a domain-match for |ecc| (or vice versa), and |ecc|'s path is "on" this
// cookie's path (as per 'IsOnPath()').
//
// Note that while the domain-match cuts both ways (e.g. 'example.com'
// matches 'www.example.com' in either direction), the path-match is
// unidirectional (e.g. '/login/en' matches '/login' and '/', but
// '/login' and '/' do not match '/login/en').
bool IsEquivalentForSecureCookieMatching(const CanonicalCookie& ecc) const;

Comment 9 by djohans...@cigital.com, Mar 20 2017 

I agree, it is working as expected in Chrome 58+, no fix required. 

My report originated in a misunderstanding that strict secure cookies was enabled in Chrome 52+, but the updates on https://www.chromestatus.com/feature/4506322921848832 now makes it clear that it's enabled from 58.

Sign in to add a comment