Tuesday, January 26, 2016

POC how to steal httponly session cookies with XSS using apache cookie overflow (CVE-2012-0053)


The basis of this attack is a known Apache vulnerability (CVE-2012-0053) which leaks all cookies (including HttpOnly cookies) in error response if cookie value exceeds the header field limit.


Vulnerable Apaches (2.2 - 2.2.21) shows all cookie values in error response.




Script to check if Apache is vulnerable.















Script
Script Input File (apache_cookie_overflow.tmp)

If the Apache server is vulnerable the response of the script
./apache_cookie_overflow <target> https
the response should look like that:







If the server is vulnerable and you are able to inject a JavaScript inside the webpage, the script can call a non existing page on the server using a XMLHttpRequest request  (exceeding cookie values) , parse the error message and send the session cookie value by creating an image tag with the sessionid value as image name, to send it to the target server. Attacker can find/parse the session cookie value from access log and overtake the session.