Reliance on Cookies without Validation and Integrity Checking in phpservermon/phpservermon
Jun 24th 2021
The program creates a cookie without setting the
secure flag to
Modern web browsers support a secure flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.
In the example below, the code adds a cookie to the response without setting the
setcookie('rememberme', $cookie_string, time() + PSM_LOGIN_COOKIE_RUNTIME, "/", PSM_LOGIN_COOKIE_DOMAIN);
🕵️♂️ Proof of Concept
The process involved in setting cookie are:- 1. The server asks the browser to set a cookie. 2. It gives a name, value and other parameters. 3. Browser stores the data in disk or memory. Now as an attacker: 1. Attacker send the user any malicious link such as http://malicious-site.domain.com/ 2. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. 3. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. 4. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://malicious-site.domain.com:443/ to perform the same attack.
Using this vulnerability, an attacker can:-
- redirect the user to a malicious site to steal session cookie.
- show user false data which will, in turn, affect the credibility of the website.
Set the secure flag on all new cookies in order to instruct browsers not to send these cookies in the clear. This can be accomplished by passing true as the sixth argument to setcookie().
The code below corrects the mistake in code by setting the secure flag to true.
setcookie('rememberme', $cookie_string, time() + PSM_LOGIN_COOKIE_RUNTIME, "/", PSM_LOGIN_COOKIE_DOMAIN, TRUE);