These forums are currently read-only due to receiving more spam than actual discussion. Sorry.

It is currently Sat Dec 02, 2017 4:25 pm Advanced search

Web storage and cookie path question

Here you can discuss things related to HTML and the Web in general that do not fit in to other categories.

Web storage and cookie path question

Postby Jordan » Sat Nov 28, 2009 7:13 pm

Hello developers.
I have been wondering after reading this part of the web storage spec: http://dev.w3.org/html5/webstorage/#cross-directory-attacks

Even if a path-restriction feature was made available, the usual DOM scripting security model would make it trivial to bypass this protection and access the data from any path.


How exactly could this kind of restriction be bypassed ? And more importantly, can it be done for cookies as well ?

Thanks in advance.
Jordan
<h6>
 
Posts: 5
Joined: Sun Apr 15, 2007 5:01 pm

Postby zcorpan » Thu Dec 03, 2009 10:34 am

I think you could for instance create an iframe and load the other page from the other path in the iframe, and then you have access to the iframe's contentDocument and all its data, since it's same-origin.

If you want two pages to not have access to each other, you need to make them not-same-origin. (Also look into setting document.domain which relaxes the same-origin restriction for some things.)
zcorpan
<article>
 
Posts: 807
Joined: Tue Feb 06, 2007 8:29 pm
Location: Sweden

Postby Jordan » Thu Dec 03, 2009 12:35 pm

Indeed. Why didn't I even think of that ? I must have been tired when I asked... :?

After some tests, it seems that you can even access the cookie data from a file that does not exist or is forbidden. Ie. loading in the iframe with
Code: Select all
src="/mypath/secret/noSuchFile.htm"
will allow to access the cookies with path "/mypath/secret", even if noSuchFile.htm does not exist (404), except in IE 8.

An iframe with
Code: Select all
src="/mypath/secret"
even if directory listing is forbidden (403), will allow access to the "restricted" cookies, in IE8, FF3.5 and Opera 10.10...

I fear web developers may not be well aware of the issue, as the best link I could find for "cookie path safe" was this one http://www.net-security.org/article.php?id=704, which recommends to always setting an explicit path on cookies as if it would make them safe, without mentioning the issue at all... Admittedly, the paper was written in 2004, but still...
Jordan
<h6>
 
Posts: 5
Joined: Sun Apr 15, 2007 5:01 pm

Postby zcorpan » Thu Dec 03, 2009 10:40 pm

Can 404 pages not use cookies in IE8? Or just the parent page can't read them?

What's the attack vector?
zcorpan
<article>
 
Posts: 807
Joined: Tue Feb 06, 2007 8:29 pm
Location: Sweden

Postby Jordan » Fri Dec 04, 2009 12:09 am

It seems you can access contentWindow, but trying to access contentWindow.document (for IE's "special" 404 pages) raises an "access denied" exception, so it's not exactly a restriction on document.cookie, but on document itself...
Jordan
<h6>
 
Posts: 5
Joined: Sun Apr 15, 2007 5:01 pm


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 0 guests