Burp Suite User Forum

Login to post

Duplicate Cookies Set When Empty Cookies Exist

user | Last updated: Dec 17, 2021 08:36PM UTC

Hello, When an empty cookie exists immediately before a replaced session cookie, the cookie is duplicated instead of replaced by session handling rules. For example, if the cookie jar has this cookie: Domain: localhost Name: name Value: value1 and a request has this header: Cookie: empty; name=value2 when choosing to "Use cookies from Burp's cookie jar", the modified header will be: Cookie: empty; name=value2; name=value1 However, the expected header would be: Cookie: empty; name=value1 If the "empty" cookie is not included in the request, the cookie will be replaced as expected. It is easiest to see this issue using the Repeater. Thank you.

Uthman, PortSwigger Agent | Last updated: Dec 20, 2021 02:06PM UTC

Hi,

I've been looking into this and the name-value pairs in the Cookie header expect the '=' as an indication that everything before it is the Name of the cookie and everything after is the Value - followed by a semicolon separating the pairs.

If you look at the 'Request cookies' in the Inspector Panel based on your example (Cookie: empty; name=value2) then you will see that:

  • The inspector thinks the name of this cookie is empty; name and the value is value2 since there is no separator between the empty cookie name and empty value
  • Changing the cookie to Cookie: empty=; name=value2 should give you the behavior you want (i.e. updating the value of the 'name' cookie with 'value1')

Ref:

Please let me know if you have any further questions.

user | Last updated: Dec 20, 2021 03:03PM UTC

Hello Uthman, While I agree with you that the cookie is invalid, browsers appear to consistently treat empty cookies as those with an empty name and a value being the content: "What isn't mentioned, because Netscape were terrible at writing specs, but seems to be consistently supported by browsers: either the NAME or the VALUE may be empty strings if there is no = symbol in the string at all, browsers treat it as the cookie with the empty-string name, ie Set-Cookie: foo is the same as Set-Cookie: =foo. when browsers output a cookie with an empty name, they omit the equals sign. So Set-Cookie: =bar begets Cookie: bar." https://stackoverflow.com/questions/1969232/what-are-allowed-characters-in-cookies/1969339#1969339 A cookie was found to be set in this manner on an actual website, where the browser was sending a cookie with an empty name in requests. The cookie was set using JavaScript similar to the following script: document.cookie = 'empty' Regardless, I do think parsing the cookie name as "empty; name" could be considered *more* invalid, as ";" is not an acceptable cookie name character. Modifying the cookie parser to at least ignore the cookie seems reasonable, but following browser behavior would be ideal. Thank you.

Uthman, PortSwigger Agent | Last updated: Dec 21, 2021 04:15PM UTC

user | Last updated: Dec 23, 2021 03:27PM UTC

Thank you. Please do keep me updated. :)

Michelle, PortSwigger Agent | Last updated: Jan 05, 2022 03:53PM UTC

Thanks for your patience. I just wanted to let you know that we have been running some more tests and do seem to have found some differences in the way certain cookies are being seen by Burp's cookie jar when compared against how the embedded browser sees them. We'll be collating the results of these tests and raising this as a bug for our developers to investigate further. We'll link this thread so we can post back here when there are updates. Thank you for taking the time to raise this with us.

You need to Log in to post a reply. Or register here, for free.