Re: [Django] #33212: Incorrect cookie parsing by django.http.cookie.parse_cookie

Thu, 21 Oct 2021 17:24:05 -0700 

#33212: Incorrect cookie parsing by django.http.cookie.parse_cookie
-----------------------------------+--------------------------------------
     Reporter:  Christos Georgiou  |                    Owner:  nobody
         Type:  Bug                |                   Status:  new
    Component:  Core (Other)       |                  Version:  3.2
     Severity:  Normal             |               Resolution:
     Keywords:  cookies            |             Triage Stage:  Unreviewed
    Has patch:  0                  |      Needs documentation:  0
  Needs tests:  0                  |  Patch needs improvement:  0
Easy pickings:  0                  |                    UI/UX:  0
-----------------------------------+--------------------------------------

Comment (by Mr. Glass):

 Replying to [comment:4 Mariusz Felisiak]:
 > Replying to [comment:3 Mr. Glass]:
 > > Parsing errors like this often lead to security vulnerabilities, and
 an attacker will NOT use a client that conforms to standards
 >
 > As far as I'm aware you will first need to convince users to use such a
 browser.

 One common vulnerability from parsing mismatch is a WAF bypass. If the WAF
 & application have a parsing mismatch, you can trick the WAF into allowing
 requests through. See the 'Messing around with a WAF parser' section for
 an example https://blog.isec.pl/waf-evasion-techniques/

 Typically this is because WAFS have bad parsers, but the vulnerability
 works either way. This would be typically used for sql injection  and
 would not require any user interaction.

 Take this theoretical cookie:
 {{{
 user_id="12345"; invalid_cookie={"k1": "v1", "k2": "v2"}; user_id=";' DROP
 TABLE important_data"
 }}}

 A python based WAF would see the user_id as a non malicious integer, while
 Django would have the value ";' DROP TABLE important_data" ready to be
 injected.
 This attack would require 0 user interaction.

 Thankfully in Django, this attack would require custom authentication that
 was vulnerable to sql injection, since the ORM protects us.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/33212#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.a897a716fd05da1c9f46bf53732f4ee5%40djangoproject.com.

Reply via email to