When a third party script executed within the same site for tracking purposes creates a persistent or tracking cookie most often as supercookie on *.example.com
google analytics is an example but it will never create a double encoded cookie values, but i have often seen other providers do have bugs such as double encoded cookie values like http%253A%252F%252F
The article doesnt explain much about what risk factors exists:
https://www.owasp.org/index.php/Double_Encoding
RFC6265 is not so strict:
The origin server is free to ignore the Cookie header.
and the syntax 4.1.1 allows for %, e.g. URI based encoding fits in which by the RFC for URIs should only be encoded once.
Another example is JSON double URI encoded
As we classify this type of cookie not used in any server context apart from sending that back to client. Based on client context in which that is used it may create XSS, but also browser based plugins may add cookie which falls in the same classification, MITM may alter cookie, or cookie highjacking from http->301->https via WIFI, etc.
Supposed that HTTPS is in place and all other security headers are sent
Are these real treats and what are the risks and security implications of allowing double encoded cookie values?
Continue reading What are the risk implications of allowing double encoded cookie values?→