Cookie Sandwich Technique Exploits HttpOnly Cookies for Theft

Security researchers have unveiled a sophisticated web attack methodology dubbed the “Cookie Sandwich” that exploits how web servers parse and handle cookies containing special characters.

This technique can potentially compromise HttpOnly cookies, exposing them to client-side scripts.

Technical Implementation

The attack leverages Chrome browser’s handling of legacy cookies, particularly those starting with ‘$’, such as $Version.

The exploit manipulates cookie parsing behavior in Apache Tomcat, which supports both RFC6265 and RFC2109 standards.

When processing cookie headers, Tomcat’s parser defaults to legacy parsing logic upon encountering the special $Version attribute and continues reading quoted values until reaching an unescaped double quote character.

The vulnerability becomes particularly dangerous when combined with analytics systems that reflect cookie values in webpage content.

Proof-of-Concept

A proof-of-concept demonstrated how an attacker could craft a specific sequence of cookies:

document.cookie = `$Version=1;`;
document.cookie = `param1="start`;
document.cookie = `param2=end";`;

This sequence creates a malformed cookie structure that, when processed server-side, can expose sensitive session information in the Cookie header: Cookie: $Version=1; param1="start; sessionId=secret; param2=end".

According to the Port Swigger, the technique has been successfully tested against applications running Apache Tomcat versions 8.5.x, 9.0.x, and 10.0.x, which support RFC2109 by default.

Security experts recommend careful attention to cookie encoding and parsing behaviors, particularly in applications using tracking endpoints that reflect cookie values in JSON responses with cross-origin resource sharing (CORS) enabled.

This discovery highlights the ongoing challenges in web application security and the importance of understanding how different frameworks and browsers handle cookie processing.

Organizations are advised to review their cookie security implementations and consider the implications of supporting legacy cookie standards.

Also Read:

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here