Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

From a previous post, the author dug into cookie parsing. They learned that long ago, the Version of a cookie was required. Many servers will downgrade their cookie parser to an older type if the version is found. This was used for WAF bypass techniques.

By abusing the parsers of a normal cookie and a legacy cookie, it's possible for both to be valid. In particular, weird things can be done with quotes and double quotes. Chrome, and many other browsers, don't care about the $Version in the cookie header because they don't support it. So, you're able to set this from JavaScript.

HTTPOnly is a browser protection to prevent the stealing of cookies with the flag. The author had found an XSS bug but wanted to steal the cookie. They found an endpoint that reflected the session name to be used as well. By using the $Version attribute to downgrade the parser, the ENTIRE quoted string would be sent back, including the PHPSESSID.

To do this attack, do the following:

1. Inject a JavaScript cookie with $Version=1,session="deadbeef in it. Notice the double quote at the beginning of it that isn't closed.
2. Append the cookie dummy=qz". This finishes the quoted cookie.
3. Make the CORS request to get the session name. This will return the entire quoted string, including the real session information that was sandwiched in the middle of it.

The ordering of the cookies does matter immensely here. Luckily, this is deterministic and can be manipulated using the age of the cookie and the path. I personally love these parser differential bugs! Super fun issue.