Skip to content

Active attacks can inject into request cookie values

Problem

Request cookie values should be injected with active check attacks. An injection location should be created for each cookie value sent in the request.

Proposal

Create a cookie value injection location that is responsible for both finding cookie values that could be replaced in an attack, as well as modifying an attack request to use the injection attack value instead of the cookie value.

Example

A request that sends the header cookie: valueA=12345; valueB=98765 should result in two injection locations, one for the valueA cookie value and one for the valueB cookie value.

Suggested implementation plan

  • In scanner/plugin/vulnerabilities/active_check, create a new file with struct CookieValueInjectionLocation
  • CookieValueInjectionLocation should implement browserk.InjectionLocation
    • Please add a constructor for NewCookieValueInjectionLocation(..) *CookieValueInjectionLocation
    • GetTypeName must return "cookie_value" so that checks like 22.1 can use it
    • GetReplacedParameterValue should return the real value of the cookie (i.e. 12345 or 98765 from the example above)
    • Modify should replace the cookie request header with a new cookie header that has the injection location replaced with the injected value
    • Describe should return value for cookie [cookie name]
  • Create a function called FindCookieValueInjectionLocations. Return a NewLazyInjectionLocationDetector where the search function returns an instance of *CookieValueInjectionLocation for every cookie value
  • Add active_check.FindCookieValueInjectionLocations(), to InitializeInjectionLocationDetectionService for dependency injection. You will need to call make di in your terminal to rebuild wire.go.
    • It might be worth looking up the spec to find edge cases (e.g. setting the same cookie more than once more than once, setting many cookies in same header, using different headers, etc).
  • (optional) I'd recommend copying TestCheck22_1_1WithQueryParameterInjection to create TestCheck22_1_1WithCookieValueInjection
    • You can run check tests using GITLAB_API_TOKEN=[read your token from file] make test-checks. The token is required to download check definitions (read_api permission required)
    • I'd just use one of the test cases
    • You will need to create your own equivalent QueryParameterInjection. These fake attacks give us confidence that the end to end search/replace works (we have real end-to-end tests)
  • Update the Attack request so that only authorization cookies are considered duplicates

Helpful ideas/tips

  • See QueryParameterValueInjectionLocation for a very similar injection location implementation which is for query parameter values
  • Please write unit tests
  • We've written some coding guidelines where practices the team uses are different to the GitLab Go practices.
Edited by Cameron Swords