Cookies from one domain sent in request to different domain in another tab

[sam-hobbs]

A couple of days ago I was browsing my own website (https://samhobbs.co.uk) and another site (http://www.leatherman.com/ and http://www.leatherman.co.uk/) in two different tabs in webpirate (latest version 2.1-3).

I run apache's security module (modsecurity) on my own website and it blocked one of the requests I sent. Inspecting the log, it seems the request was blocked because of suspected SQL injection in a cookie that did not belong to my site (I believe it belonged to one of the leatherman domains due to its content).

To be clear, the request contained the leatherman cookies that triggered the rules in addition to the correct cookies for my domain (so it's probably not an off-by-one error where webpirate sent the cookies for the wrong site, which was my first thought).

I will extract the relevant section from the modsecurity log file later, I don't have access to it at the moment. What that won't tell me is information about the original cookie - I know what was sent to my server, but not which domains the cookie was supposed to be for, how long it was supposed to last etc. From the name, I think it was a tracking cookie, but I can't be sure.

Unfortunately, I cleared the cookie so I could access my site again, and I have been unable to recreate the bug - but I do have a record of the requests, from the modsecurity log file.

My site and the leatherman site are not linked in any way. My site doesn't use any analytics or tracking software, so there shouldn't be any shared cookies of any sort.

I don't think there are any wildcard cookies that are supposed to be sent to every website (are there?). If not, this might be a bug in webpirate.

Interested to hear what you think!

[llelectronics]

Cookie handling is done by webkit itself. It might be a bug in webkit. Jolla seems not to bother fixing or compiling newer webkit versions. So yes you can expect more bugs of this sort. Hopefully with Qt 5.6 upgrade coming to SailfishOS we will have an webengine then that gets regulary updates (as 5.6 is a LTS release). Online downside would be lesser direct controls that make it very very hard to base a browser ontop of WebEngine.

[sam-hobbs]

Hey, thanks for the fast response. I'll update the bug report later for completeness anyway.

What does this mean for the long term development of webpirate, are you saying the QtWebKit to QtWebEngine changes mean it won't be possible to build a decent browser (or that the new version wouldn't have as many features)?

I found this link, but I must admit I don't understand the implications (I haven't used qtwebkit in anger) https://wiki.qt.io/Porting_from_QtWebKit_to_QtWebEngine

[llelectronics]

Time will tell if it is possible to build a decent browser with it.

[sam-hobbs]

It happened again, am I able to rummage around webpirate's data to find this cookie using fingerterm?

Audit log below:

--fc42de14-A--
[14/Sep/2016:13:15:27 +0100] V9k-X38AAQEAABhS9VIAAAAQ 213.205.194.246 58798 192.168.1.2 443
--fc42de14-B--
GET /comment/16522 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://samhobbs.co.uk/admin/content/comment/approval
User-Agent: Mozilla/5.0 (U; Linux; Maemo; Jolla; Sailfish; like Android 4.3) AppleW
ebKit/538.1 (KHTML, like Gecko) WebPirate/2.1 like Mobile Safari/538.1 (compatible)
Cookie: SSESSREDACTED; __cq_uuid=REDACTED; __cq_bc=%7B%22aamv-leatherman-uk%22%3A%5B%7B%22id%22%3A%2218%22%2C%22sku%22%3A%22lt85%22%7D%5D%7D; __cq_seg=f0
; has_js=1; Drupal.toolbar.collapsed=0
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,*
Host: samhobbs.co.uk

--fc42de14-F--
HTTP/1.1 403 Forbidden
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15768000
X-Clacks-Overhead: GNU Terry Pratchett
Content-Length: 707
Connection: close
Content-Type: text/html; charset=UTF-8

--fc42de14-H--
Message: Warning. Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}
\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){8,}" at RE
QUEST_COOKIES:__cq_bc. [file "/etc/modsecurity/modsecurity_crs_41_sql_injection_att
acks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Ano
maly Detection Alert - Total # of special characters exceeded"] [data "Matched Data
: \x22 found within REQUEST_COOKIES:__cq_bc: {\x22aamv-leatherman-uk\x22:[{\x22id\x
22:\x2218\x22,\x22sku\x22:\x22lt85\x22}]}"] [ver "OWASP_CRS/2.2.9"] [maturity "9"]
[accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
Message: Warning. Pattern match "(?i:(?:,.*?[)\\da-f\"'`\xc2\xb4\xe2\x80\x99\xe2\x8
0\x98][\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98](?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x9
8].*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|\\Z|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\
x98]+))|(?:\\Wselect.+\\W*?from)|((? ..." at REQUEST_COOKIES:__cq_bc. [file "/etc/m
odsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "209"] [id "981257
"] [msg "Detects MySQL comment-/space-obfuscated injections and backtick terminatio
n"] [data "Matched Data: ,\x22sku\x22:\x22lt85\x22}]} found within REQUEST_COOKIES:
__cq_bc: {\x22aamv-leatherman-uk\x22:[{\x22id\x22:\x2218\x22,\x22sku\x22:\x22lt85\x
22}]}"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
Message: Warning. Pattern match "(?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([
]*?\\s*?select\\s+)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:l
ike\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2
\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4 ..." at REQUEST_COOKIES:__cq_bc. [file "/etc/m
odsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "223"] [id "981245
"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data
: \x22:[{\x22id\x22:\x221 found within REQUEST_COOKIES:__cq_bc: {\x22aamv-leatherma
n-uk\x22:[{\x22id\x22:\x2218\x22,\x22sku\x22:\x22lt85\x22}]}"] [severity "CRITICAL"
] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
Message: Warning. Pattern match "(?i:(?:in\\s*?\\(+\\s*?select)|(?:(?:n?and|x?x?or|
div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*?\\(|sounds\\s+l
ike\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|[=\\d]+x))|([\"'`\xc2\xb4\xe2\x80\x9
9\xe2\x80\x98]\\s*?\\d\\s*?(?:--|#)) ..." at REQUEST_COOKIES:__cq_bc. [file "/etc/m
odsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "239"] [id "981246
"] [msg "Detects basic SQL authentication bypass attempts 3/3"] [data "Matched Data
: \x22aamv-leatherman-uk\x22:[{\x22 found within REQUEST_COOKIES:__cq_bc: {\x22aamv
-leatherman-uk\x22:[{\x22id\x22:\x2218\x22,\x22sku\x22:\x22lt85\x22}]}"] [severity
"CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
Message: Warning. Pattern match "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?
\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d
)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99
\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor ..." at REQUEST_COOKIES:__cq_bc. [file "/etc/m
odsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "245"] [id "981243
"] [msg "Detects classic SQL injection probings 2/2"] [data "Matched Data: -leather
man-uk\x22:[{\x22i found within REQUEST_COOKIES:__cq_bc: {\x22aamv-leatherman-uk\x2
2:[{\x22id\x22:\x2218\x22,\x22sku\x22:\x22lt85\x22}]}"] [severity "CRITICAL"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
Message: Access denied with code 501 (phase 2). Pattern match "(.*)" at TX:981172-O
WASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-REQUEST_COOKIES:__cq_bc. [file "/etc/mods
ecurity/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "
Inbound Anomaly Score Exceeded (Total Score: 23, SQLi=5, XSS=0): Last Matched Messa
ge: 981243-Detects classic SQL injection probings 2/2"] [data "Last Matched Data: {
\x22aamv-leatherman-uk\x22:[{\x22"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/mo
dsecurity/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inb
ound Anomaly Score Exceeded (Total Inbound Score: 23, SQLi=5, XSS=0): 981243-Detect
s classic SQL injection probings 2/2"]
Message: Warning. Pattern match ".*" at TX:hostname. [file "/etc/modsecurity/modsec
urity_crs_61_ip_forensics_fixedpath.conf"] [line "37"] [id "900037"] [msg "Client N
slookup/WHOIS Abuse Info."] [data "Hostname: NONE and WHOIS Abuse Contact: NONE"]
Message: Warning. Geo lookup for "213.205.194.246" succeeded. [file "/etc/modsecuri
ty/modsecurity_crs_61_ip_forensics_fixedpath.conf"] [line "54"] [id "900039"] [msg
"Logging GeoIP Data due to anomaly score."] [data "Country Code=GB, Country Code3=G
BR, Country Name=United Kingdom, Country Continent=EU, City=London"] [severity "NOTICE"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1473855327124106 35240 (- - -)
Stopwatch2: 1473855327124106 35240; combined=34295, p1=358, p2=2890, p3=0, p4=0, p5
=31002, sr=74, sw=45, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
Server: Apache/2.4.18 (Ubuntu)
Engine-Mode: "ENABLED"

--fc42de14-Z--

To save you wading through the whole thing, the cookie in question is this one:

__cq_bc=%7B%22aamv-leatherman-uk%22%3A%5B%7B%22id%22%3A%2218%22%2C%22sku%22%3A%22lt85%22%7D%5D%7D;

Which decoded contains:

__cq_bc={"aamv-leatherman-uk":[{"id":"18","sku":"lt85"}]};

The reason I said I thought it was a tracking cookie is because I found a couple of privacy policies that refer to cookies with the same name:

http://www.versace.com/us/en-us/about-us/cookie-policy.html http://eu.truereligion.com/cookie-policy.html

[sam-hobbs]

Found it!

[nemo@localhost ~]$ sqlite3 .local/share/harbour-webpirate/harbour-webpirate/.QtWeb
Kit/cookies.db
SQLite version 3.8.5 2014-06-04 14:06:34
Enter ".help" for usage hints.
sqlite> .tables
cookies
sqlite> .schema cookies
CREATE TABLE cookies (cookieId VARCHAR PRIMARY KEY, cookie BLOB);
sqlite> select * from cookies where cookie glob "*__cq_bc*";
.leatherman.com__cq_bc|__cq_bc=%7B%22aamv-leatherman%22%3A%5B%7B%22id%22%3A%2218%22
%2C%22sku%22%3A%22830845%22%7D%2C%7B%22id%22%3A%2210%22%2C%22sku%22%3A%22830037%22%
7D%5D%7D; expires=Thu, 13-Oct-2016 09:43:00 GMT; domain=.leatherman.com; path=/
.uk__cq_bc|__cq_bc=%7B%22aamv-leatherman-uk%22%3A%5B%7B%22id%22%3A%2218%22%2C%22sku
%22%3A%22lt85%22%7D%5D%7D; expires=Thu, 13-Oct-2016 09:44:26 GMT; domain=.uk; path=
/

[Dax89]

There is a builtin cookie manager that does queries for you :P

[sam-hobbs]

Where?

[Dax89]

The "bottom bar" where there are tabs, closed tabs, sessions, etc is scrollable, you can find the cookie editor there.

[sam-hobbs]

Well, that was easier!

Could you add a hint in the UI to show you can scroll that bottom bar? I've been using webpirate as my main browser for over a year and I didn't know it was there!

[Dax89]

Some users have requested the same thing: I still have to figure out how to make those "hints"