Security: document.cookie DOM property can be shadowed by a DOM node named cookie
Reported by
saurabh....@gmail.com,
Nov 21 2017
|
|||||
Issue descriptionVULNERABILITY DETAILS An attacker can inject an HTML tag name and thus confuse the javascript about the cookies. So, the JS fails to locate the right cookie instead finds this: object HTMLFormElement. VERSION Chrome Version: [61.0.3163.100] + [stable] Operating System: [Windows 7] REPRODUCTION CASE Include the following HTML Code and observe: <h3>Clobbering cookie</h3> <script> document.cookie="sa=1132"; document.write(document.cookie); </script> <br> <br> <form name="cookie"></form> <br> <br> <script>document.write(document.cookie);</script>
,
Nov 21 2017
Thanks for your report. What an attacker can do in that case? I see two scenarios, none of which has any security implications: 1) web-site controlled by an attacker: an attacker can do pretty much everything that JS allows them to do 2) XSS on 3rd party site: an attacker is able to execute JS in a victim's browser in a context of 3rd party web-site, most likely an attacker will read / write victim's data on that web-site? Adding Needs-Feedback label. Please share if you have thoughts regarding security implications.
,
Nov 21 2017
,
Nov 21 2017
https://crbug.com/257210#c12 points toward "Won't Fix" but we should perhaps let someone on the DOM team ensure that there isn't some new spec that calls for something different.
,
Nov 22 2017
saurabh.banawar, could you reply to #2?
,
Nov 23 2017
Re 2: I think this a genuine security issue. Regarding your question that what can an attacker do: 1. Let us assume that a 3rd party application takes user input and properly encodes it in order to ensure that there is no XSS. 2. If this user input is then entered in the form tag in the name attribute. 3. Also if this user input is stored in the DB and every time the page is rendered to all the user of the web app, the payload i.e. name="cookie" gets shown on the web page. 4. Now, if the client side legitimate JavaScript wants to fetch cookies using document.cookie API, the it will fail (how it fails is proved in my PoC). Thus the JS will paralyze and will not be able to support web app feature like submitting cookies to the website in an AJAX call or submitting cookies using an CORS request when with.credentials = true. Thus, this is an attack scenario in which web applications of 3rd party can be targeted by an attacker. SOLUTION: The solution is very easy. That is to make the JS parser give priority to main cookies and to not confuse it with attacker entered name="cookie". Thank you, Saurabh
,
Nov 23 2017
The scenario described in #6 seems both improbable and also does not describe a security issue. Unless there's a DOM specification that the cookie attribute should be unforgeable, I don't think we can take a change here. We need to either assign a specific owner on the DOM team so they can see the issue and can help triage the spec question, or change this to Type=Bug and let it get triaged via their normal process.
,
Nov 23 2017
Agree with elawrence@ in #7. Change type from bug-security to bug.
,
Nov 27 2017
As far as I know there's no discussion about making document.cookie marked [Unforgeable] in the IDL. As far as the security team replied that this is not a security issue, dom-team won't take any action on this. saurabh.banawar, the code in OP looks like just a page author accidentally made the form name as "cookie", and document.cookie is shadowed. Such a page doesn't work as you said. So how can it be a security attack, such as sending user's cookie to third-party site? Unless someone is sure that this is a security issue, we will take no action on this. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by elawrence@chromium.org
, Nov 21 2017Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows
Status: Untriaged (was: Unconfirmed)
Summary: Security: document.cookie DOM property can be masked by a DOM node named cookie (was: Security: Cookie clobbering using name attribute)