Summary:
The pentester encountered a session fixation vulnerability in a PHP web application, but knew it might not be taken seriously on its own. To demonstrate its severity, they combined it with an existing XSS vulnerability and a lesser-known technique called the Cookie Jar Overflow Attack. This combination allowed them to show how an attacker could bypass security measures and hijack user sessions.

Session Fixation involves setting a victim’s session ID before they log in, allowing the attacker to hijack the session after authentication. However, XSS alone is often not sufficient to steal cookies because modern security practices use the HttpOnly flag to prevent JavaScript from accessing cookies. This is where the Cookie Jar Overflow Attack comes in. It exploits the limited number of cooki a browser can store by flooding the cookie storage, causing older cookies, like PHPSESSID, to be evicted and replaced with an attacker-controlled session ID. This can occur even when the HttpOnly flag is set.

Security Officer Comments:
To execute this attack, the pentester used a malicious payload combining XSS with the overflow technique. The payload filled the cookie jar with 999 cookies, forcing the eviction of the legitimate PHPSESSID and replacing it with an attacker-controlled one. This allowed the pentester to take over the victim’s session once they logged in again, enabling actions like generating a private API key.

By chaining these vulnerabilities, the pentester highlighted the critical impact, resulting in a high-severity rating and an $800 reward. The developers quickly patched the XSS and session fixation issues.

Suggested Corrections:
Mitigating the combined session fixation, XSS, and cookie jar overflow attacks requires a multi-layered approach. Regenerating session IDs upon user login prevents attackers from using pre-set session IDs, while applying HttpOnly and Secure flags ensures cookies are more protected. Input validation, output encoding, and implementing a strict Content Security Policy (CSP) can prevent XSS attempts, while limiting the number of cookies and monitoring for unusual cookie behavior can help mitigate cookie overflow risks.

Link(s):
https://akashc99.medium.com/exploit...s-and-cookie-jar-overflow-attack-7cf8d60e1f9e