Cookie Manipulation#
Cookie manipulation may not have impact on its own. However, it could be a crucial part of an exploit chain.
Cookie manipulation allow attackers to manipulate data they don’t typically have control of. This makes document.cookie a potential source for later exploit chain
Example#
Consider this code:
const current_location = location.pathname;
// Extract existing history from cookie
const match = /history=([^;]*)/.exec(document.cookie);
const history = match ? match[1].split(',') : [];
// Prepend current location, keep max 5
history.unshift(current_location);
const trimmed = history.slice(0, 5);
// Write back to cookie
document.cookie = 'history=' + trimmed.join(',');
// Render to DOM
document.write('<h3>History</h3><ul>' + trimmed.map(p => '<li>' + p + '</li>').join('') + '</ul>');This code will keep recent visiting paths inside a cookie history, then write it onto the page.
- It is vulnerable to
Cookie Manipulation, since we can modifydocument.cookieby using thelocation.pathnamesource. - Since we can modify
document.cookie, it means thatdocument.cookieis now a source. - And that
document.cookiesource is passed into thedocument.writesink, meaning XSS
Furthermore, if the cookie is used to track the user’s session, then the attacker may be able to perform a session fixation attack
- Attacker can set the cookie’s value to a valid token that they own
- The victim is tricked into using a attacker controlled cookie to log in
- Or if they are authenticated with attacker’s account, they might add a credit card, add delivery address, etc
A cookie-manipulation vulnerability like this can be used to attack not only the vulnerable website, but any other website under the same parent domain.