tajMahal tajMahal - 6 months ago 142
Javascript Question

How to fix header manipulation cookies using JavaScript?

My JavaScript code:

function CookieSetting(name, value) {
var today = new Date();
today.setTime( today.getTime() );
var expires = 28;
expires = expires * 1000 * 60 * 60 * 24;
var expires_date = new Date( today.getTime() + (expires) );
document.cookie = name+"="+escape( value ) +
( ( expires ) ?";
domain="+window.location.hostname+";path=/;expires="+expires_date.toGMTString() : "" )

It's working fine, but when I run the Fortify tool, it is showing this error:

The method CookieSetting() includes unvalidated data in an HTTP response header.

This enables attacks such as cache-poisoning cross-site scripting cross-user defacement
page hijacking cookie manipulation or open redirect.

Including unvalidated data in an HTTP response header can enable cache-poisoning cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.

How can I fix this?


The problem is that if value comes from user input he can attack your http headers.

If he is able to insert CR (carriage return, also given by %0d or \r) into the value, then he can add another headers into your http request (because http headers are separated by CR). Source: Nice web article about those attacks.

Solution A)

I've looked into and existing implementation of javascript setCookie and what they do is:

optionsString = ( ( expires ) ? "; domain="+window.location.hostname+";path=/;expires="+expires_date.toGMTString() : "" 
document.cookie = cookieName + '=' + encodeURIComponent( value ) + optionsString;

But if you do this, you would need opposite method for getting the cookie - getCookie() in which you would do decodeURIComponent() before returning the value.

I would try to to sanitize your value by the encodeURIComponent() method.

Solution B)

Sanitize the name parameter

Another thing which you can try is just sanitize your name by the escape method, maybe this is why fortify tool is complaining:

document.cookie = window.escape(name)+"="+window.escape(value) + ...