-
Notifications
You must be signed in to change notification settings - Fork 87
Expand file tree
/
Copy pathCookiePrefixBypass.bambda
More file actions
70 lines (65 loc) · 3.17 KB
/
CookiePrefixBypass.bambda
File metadata and controls
70 lines (65 loc) · 3.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
id: c4ffc008-4520-47dc-b19b-f0794dccac11
name: CookiePrefixBypass
function: SCAN_CHECK_ACTIVE_PER_REQUEST
location: SCANNER
source: |-
/**
* Identifies HTTP cookie prefix bypass vulnerability.
* @author d0ge
**/
if (!requestResponse.hasResponse()) return null;
var req = requestResponse.request();
var res = requestResponse.response();
var map = new java.util.LinkedHashMap<String, HttpParameter>();
res.cookies().stream()
.filter(c -> c.name().startsWith("__Host-") || c.name().startsWith("__Secure-"))
.forEach(c -> map.put(c.name(), HttpParameter.cookieParameter(c.name(), c.value())));
req.parameters().stream()
.filter(p -> p.type() == HttpParameterType.COOKIE
&& (p.name().startsWith("__Host-") || p.name().startsWith("__Secure-")))
.forEach(p -> map.put(p.name(), HttpParameter.cookieParameter(p.name(), p.value())));
var merged = new java.util.ArrayList<>(map.values());
if (merged.isEmpty()) {
return null;
}
var exploit = req
.withRemovedParameters(merged)
.withAddedParameters(
merged.stream()
.map(p -> HttpParameter.cookieParameter("§§§" + p.name(), p.value()))
.toList()
);
var downgrade = exploit.toString().replaceFirst("HTTP/2","HTTP/1.1");
var prob = downgrade.replaceAll("§§§", "");
var prob1 = api().http().sendRequest(HttpRequest.httpRequest(req.httpService(), prob), HttpMode.HTTP_1);
if(!prob1.hasResponse()) {
return null;
}
var attributes1 = prob1.response().attributes(AttributeType.COOKIE_NAMES);
var data = ByteArray.byteArray(downgrade);
int idx;
while ((idx = data.indexOf("§§§")) != -1) {
data.setByte(idx, (byte) 0xE2);
data.setByte(idx+1, (byte) 0x80);
data.setByte(idx+2, (byte) 0x80);
}
var respRx = api().http()
.sendRequest(HttpRequest.httpRequest(
req.httpService(), data), HttpMode.HTTP_1);
if (!respRx.hasResponse()) return null;
var attributes2 = respRx.response().attributes(AttributeType.COOKIE_NAMES);
if(attributes1.getFirst().value() == attributes1.getFirst().value()) {
return AuditResult.auditResult(burp.api.montoya.scanner.audit.issues.AuditIssue.auditIssue(
"Cookie Prefix Bypass",
"The server appears to be vulnerable to a <b>Unicode-based bypass</b> affecting cookies with the <b>__Host-</b> or <b>__Secure-</b> prefix. This issue exploits whitespace trimming behavior, allowing an attacker to set privileged cookies using visually similar names.",
"Ensure the server does not silently strip or normalize <i>Unicode space separator characters</i> (e.g. U+2000–U+200A) before parsing cookie names. These characters can be used to bypass prefix restrictions in modern browsers like Chrome and Firefox.",
req.url(),
burp.api.montoya.scanner.audit.issues.AuditIssueSeverity.LOW,
burp.api.montoya.scanner.audit.issues.AuditIssueConfidence.TENTATIVE,
"For technical background on Unicode-based cookie prefix bypasses, see: <a href=\"https://portswigger.net/research/cookie-chaos\">https://portswigger.net/research/cookie-chaos</a>",
"",
burp.api.montoya.scanner.audit.issues.AuditIssueSeverity.LOW,
respRx
));
}
return null;