zombie
zombie copied to clipboard
Published
20 hours ago •
assaf
assaf
Cookie leaking between domains
If domain-a tries to set a cookie for domain-b, the cookie shouldn't actually be set and sent to domain-b, when the browser does a call there.
Here is a sample displaying the issue.
setupServer(testClient);
// ---------- Setup server
function setupServer(callback) {
const express = require('express');
const app = express();
app.get('/api/v1/test-set-cookies', function (req, res) {
res.append('Set-Cookie', 'my-precious-cookie=my-secret-info-hehehe; path=/; HttpOnly; Domain=.domain-b.com');
res.json({ ok: true });
});
app.get('/api/v1/test-get-cookies', function (req, res) {
console.log('test-get-cookies', req.headers);
res.json(req.headers);
});
const server = app.listen('8080', function () {
console.log(server.address());
callback();
});
}
// ----------------- Test client
async function testClient() {
const assert = require('assert');
const Browser = require('zombie');
const browser = new Browser({
waitDuration: '30s',
debug: true,
runScripts: true
});
await browser.visit('http://www.domain-a.com:8080/api/v1/test-set-cookies');
await browser.visit('http://www.domain-b.com:8080/api/v1/test-get-cookies');
assert.equal(browser.text('body').includes('my-secret-info-hehehe'), false);
}
The sample requires express and obviously zombie.
It also requires adding
127.0.0.1 www.domain-a.com
127.0.0.1 www.domain-b.com
in /etc/hosts.
Notes:
- Running the server part only and making the two requests in either Chrome or Firefox doesn't display this behavior. This is what made me believe that Zombie might be too permissive.
- The sample should be transformable to a test case pretty easily.
I believe that what value for Domain would make a cookie be accepted or rejected is refined in the RFC 2675