New Cookie Sandwich Technique Allows Stealing of HttpOnly cookies

A new attack technique known as the “cookie sandwich” has surfaced, raising significant concerns among cybersecurity professionals.

This technique enables attackers to bypass the HttpOnly flag and access sensitive cookies, potentially exposing vulnerable applications to data theft and session hijacking.

Here’s a breakdown of this emerging threat, how it works, and its implications for web security.

The Birth of the “Cookie Sandwich” Technique

According to the PortSwigger report, the “cookie sandwich” technique exploits vulnerabilities in how certain web servers parse cookies, particularly when dealing with legacy cookies and special characters.

By carefully crafting cookie values with quotes and using browser-specific features, attackers can manipulate the structure of the Cookie header. This manipulation exploits server-side parsing mechanisms to expose otherwise protected cookies.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The attack hinges on the following key concepts:

1. Legacy Cookie Parsing:
   • Some browsers and servers still support older cookie specifications, such as RFC2109, which allow non-standard characters and quoted values in cookies.
   • Attackers can create cookies with names starting with special characters like $, such as $Version.
2. Crafting a Sandwich:
   • By setting cookies with strategically placed quotes, attackers can create overlapping cookie boundaries.
   • For instance:

document.cookie = `$Version=1;`;

document.cookie = `param1="start`;

document.cookie = `param2=end";`;

This causes the server to misinterpret the cookie structure, allowing cookies enclosed between the quotes to be treated as part of a single value.

3. Exposing Cookies:
   • When the server reflects vulnerable cookies in its response, the entire manipulated string, including sensitive cookies, is exposed to client-side scripts or reflected to attackers.

Here’s how the manipulated Cookie header might look in a request:

GET / HTTP/1.1
Cookie: $Version=1; param1="start; sessionId=secret; param2=end"

A vulnerable server might respond with:

HTTP/1.1 200 OK
Set-Cookie: param1="start; sessionId=secret; param2=end";

If the application improperly reflects the param1 cookie or does not implement HttpOnly properly, attackers can capture sensitive cookie data like session IDs.

Real-World Exploitation

Popular frameworks like Flask handle cookies with quoted strings by default, making them susceptible to cookie sandwich attacks. For example:

Cookie: param1="start; sessionId=secret; param2=end"

In the server response, this could become:

Set-Cookie: param1="start\073 sessionId=secret\073 param2=end";

This parsing quirk can be exploited to expose sessionId values.

Exploiting a Vulnerable Tracking Application

In a reported real-world scenario, a tracking domain with a reflected session parameter was exploited:

1. The attacker used a cross-origin request to force the server to reflect a manipulated cookie string, exposing an HttpOnly PHPSESSID cookie.
2. By leveraging Apache Tomcat’s legacy cookie parsing, the attacker downgraded security standards and executed the cookie sandwich attack.

This vulnerability highlights the importance of robust cookie handling and response sanitization on the server side. Here are some mitigation strategies:

1. Use Modern Parsing Standards:
   • Ensure your application adheres to RFC6265 for strict cookie handling.
   • Disable support for legacy cookie parsing where possible.
2. Enable HttpOnly and Secure Flags:
   • Always set the HttpOnly flag on sensitive cookies to prevent client-side scripting access.
   • Use the Secure flag to ensure cookies are only transmitted over HTTPS.
3. Sanitize User Input and Responses:
   • Avoid reflecting user-controlled data in server responses without proper escaping and validation.
   • Implement Content Security Policies (CSP) to mitigate XSS risks.
4. Implement SameSite Cookies:
   • Use the SameSite attribute to restrict cross-site cookie transmission, reducing the attack surface.

The “cookie sandwich” technique underscores the evolving sophistication of web-based attacks. Organizations must stay vigilant, update their frameworks, and adopt modern security practices to protect against such exploits.

This discovery serves as a wake-up call for developers and security teams to prioritize secure cookie handling and robust input validation to safeguard user data.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar