How to read a parent domain's cookie - javascript

How can I access a cookie on ".bar.com" from javascript in a webpage at "foo.bar.com"?
document.cookie (in Chrome) doesn't appear to contain this cookie even though I can see it on the Resources tab in Chrome and see that its send to the web server on a POST.

when setting the cookie you define the domain it can be read from, subdomains also work.
There also exist http-only cookies, they can't be read using javascript but you will see them in the http request.

Related

Reading a cookie from a different domain

I'm developing a page/form for a campaign inside my company. However, the first step is to check if the person is logged in. This is easily checked against a cookie - CUSTOMER - that is set once they're logged in.
However:
1) I'm developing locally, not on the same domain, and, as a result can't see that cookie
2) The final campaign may or may not end up residing on the actual domain. They may end up using a vanity URL or something.
For purposes of this, let's assume I do NOT have access to the main domain where the cookie was set.
How can I read that cookie from off the domain? Oh, and since IT folks don't let us touch the back-end grumble, it has to be a JS solution.
Thanks!
You can't.
The only cookies you can read with client side JavaScript are those belonging to the host of the HTML document in which the <script> is embedded.
By setting withCredentials you can support cookies in cross-origin requests, but they are handled transparently by the browser and JS has no direct access to them (the XHR spec goes to far as to explicitly ban getAllResponseHeaders from reading cookie related headers). The only way for a cross-origin request to get access to cookies is for the server (which you say you don't have access to) to copy the data into the body or a different response header).
You can if you can install server side components.
You can use a dedicated domain to host your cookie and then share it using XSS technics
When dom1.foo.com logs in then you register a cookie on cookie.foo.com using an Ajax XSS call then when you go on dom2.foo.com you have to query cookie.foo.com with your XSS api
I' ve played with it some time ago
https://github.com/quazardous/mudoco/blob/master/mudoco/README.txt
It's just some sort of POC..

chrome-extension: grab all cross domain cookies under the url tab?

I am only able to grab cookies with the same domain, but when you view the cookies in the chrome dev tool, you can see a bunch of cookies with different domain values under the same url tree tab on the right like below. The circled cookie is from a different domain for example but show up under developer.chrome.com.
My question is how do you pull all the cookies from that domain tab with different domain values?
chrome.cookies.getAll({'url': "http://developer.chrome.com"}, function (cookies) {
if (cookies) {
console.log(cookies); //will only pull cookies with domain value developer.chrome.com
}
});
You need to inspect the requests being made on a tab to see which are making requests for cross-domain cookies.
In order to access the network api, you need to make a DevTools extension [info].
From there you need to make the following request:
chrome.devtools.network.getHAR()
This will log json regarding the network requests being made.
In that json, you can access a cookie object. The json is based on the HAR spec. [info]
You can read all your cookies by accessing document.cookie and parse accordingly.
See an example here
document.cookie won't give you access to the cookie from a script unless the HttpOnly flag has not been set by the web application whose cookies you're trying to access.
Also, you can't make cross-domain cookie requests unless there's an XSS or similar vulnerability.
The Chrome extension mentioned above seems able to inspect all browser traffic (cross domain) and pull the cookies from that traffic, although I haven't tried it myself so could be wrong on that point.

Python : Setting cookie into another website

I am implementing one advertising system in which when one user puts down script code into their website A. what I want to do at that time is set up a cookie into website A while it display response or resource of website B(Advertising System), so in present day when user comes again , I can log it's entry. I have read down this question and came to know that it is possible to set cookie into other website A when that website A is display content from another website B
In script I am executing one rest API and returning one response like below..
source_image = "http://example.com/media/format.png"
response = Response({'success':source_image})
response.set_cookie( 'cookie_name', 'cookie_value' )
return response
Now I am able to see cookie set in browser of the response of this url. But when I reload it ,cookie does not get display. Also why it is not getting display in the cookies section of the site in which I have put down script code.
Am I doing right thing to set up a cookie? And I have tried to set cookie's expiry date for 1 day. But still it is getting destroyed..Please help..
There are a few important things to know about cookies and browsers and how they interact across domains.
Websites can set cookies for their own website
Websites cannot set cookies for a different website
Cookies can be set on the response or using things such as JavaScript
The first two may seem confusing, especially when some sources say they are possible. It's important to note that they only affect cases where the response is directly setting the cookie using the Set-Cookie header, which allows a website to directly set a cookie. There are some special cases for things like subdomains, but in general you should not expect browsers to respect cookies set on other domains that you don't control.
If you were allowed to arbitrarily set cookies on other websites, this would open the door for websites to arbitrarily set and unset cookies you are using, even if they are unrelated. This would include the ability to log someone out across domains in just the response alone, which isn't possible.
The third point is important for cases like advertising, as cookies can be set using the Set-Cookie header (or response.set_cookie in Django) or using JavaScript through the document.cookie property. As JavaScript can included from any domain using the src property on <script> tags, any domain can manage cookies on another domain if it is included through JavaScript. This is important to how many analytics services, such as Google Analytics, work becuase it allows them to store unqiue cookies on each website for each user that is being monitored, even though they do not have full control over the response. They also typically use tracking beacons in the form of images to send data back to the external domain and associate it with the stored cookie.
The answer you linked to talks about this with images, but explains that it does not actually set the cookie on another domain. The cookie which is being set using the image or frame is stored only on the external domain, and cannot be accessed from the domain including the remote image.
Make sure that the HTTP header of "Set-Cookie" is being passed to the client in the HTTP response.
Try adding in the "domain" attribute for the cookie so the browser knows where to send the cookie.

Setting Cookies via AJAX CORS Response and accessing them in document.cookies

I have a working CORS set up in my app.
On the server side REST service I added setting of cookies in the ajax responses.This works great ,the next Ajax requests to the CORS service are sent with cookies.
Now I want on the client side to get/set the values these set cookies from javascript.
document.cookies returns an empty string even though they are sent from the browser with each request to the rest service(this means they are stored somewhere).
I am running both the service and the client from localhost, and in chrome developer tools in the resources tab under the cookies section these sent cookies are not present.
Where are these cookies stored and how can I access them ?
The only interface JavaScript (on a webpage) has for reading cookies is document.cookie which contains the cookies for the current HTML document.
Cookies set via a cross-domain Ajax request are not for the current HTML document, so are not available through that interface.
XMLHttpRequest does have a getAllResponseHeaders() method, but Set-Cookie headers are suppressed by browsers so you can't access them as they are being set either.

JavaScript and third party cookies

Say there is a site foo.com which loads JavaScript from site bar.com. Now, say the JavaScript from site bar.com tries to read cookies using document.cookies. I was under the impression that using JavaScript, you can read all the cookies set in the browser irrespective of their source. But it turns out that the JavaScript from the site bar.com can only access cookies set by bar.com and not any other. If this is the case, how are script injection attacks which steal cookies carried out?
But it turns out that the JavaScript from the site bar.com can only access cookies set by bar.com and not any other.
That isn't true. What matters is where the HTML document containing the <script> element is, not the URL of the JS file that said <script> mentions in the src attribute.
I suspect your problem is that you are accessing document.cookies when the property is called document.cookie (Singular!)
They load scripts inside the attacked page.
For instance, when comments in a blog system get compromised, they contain a script element that is executed when the page is rendered. This script can get the cookies and send it to the attacker's server.
That's why you should never trust user input and disallow at least certain tags in comments (or translate every < to <). But don't do this on the client side, as this prevention technique can easily be circumvented; test for (and change) malicious input on the server side.
You can only access cookies which have been set for the given domain name. From the Wikipedia article on cookies:
Beside the name/value pair, a cookie
may also contain an expiration date, a
path, a domain name, and whether the
cookie is intended only for encrypted
connections. RFC 2965 mandates cookies
have a version number, but this is
usually omitted. These pieces of data
follow the name=newvalue pair and are
separated by semicolons. For example,
a cookie can be created by the server
by sending a line Set-Cookie:
name=newvalue; expires=date; path=/;
domain=.example.org.
The domain and
path tell the browser that the cookie
has to be sent back to the server when
requesting URLs of a given domain and
path. If not specified, they default
to the domain and path of the object
that was requested. As a result, the
domain and path strings may tell the
browser to send the cookie when it
normally would not. For security
reasons, the cookie is accepted only
if the server is a member of the
domain specified by the domain string.
If foo.com sent a cookie which had the domain name of bar.com, or even .com, then JavaSCript code on bar.com could read that cookie. However most browsers are configured to only accept cookies when the domain name matches, and would reject such a cookie.

Categories

Resources