Arbitrary session fixation

[kravietz]

The middleware will echo any received value of the anoncsrf cookie in the Set-Cookie response as there seems to be no validation its value. This is a bit similar to a session fixation attack but i can't think of an easy way of exploiting this because the cookie must be already there - the ability of echoing an arbitrary string could however be used in some attacks against TLS and possibly DoS.

Request:

Cookie: anoncsrf=%0d%0a%00asd

Response:

Set-Cookie: anoncsrf=%0d%0a%00asd; expires=Fri, 28-Apr-2017 16:10:05 GMT;
      httponly; Max-Age=3600; Path=/; secure

The following code in init.py:151 should probably not echo the cookie value if it wasn't set by the server or at least validate its lenght and charset:

if use_anon_cookie:
            if ANON_COOKIE in request.COOKIES:
                key = request.COOKIES[ANON_COOKIE]
...
if use_anon_cookie:
            # Set or reset the cache and cookie timeouts.
            response.set_cookie(ANON_COOKIE, key, max_age=ANON_TIMEOUT,
                                httponly=True, secure=request.is_secure())

[moggers87]

What does Django do with its cookie-based session backend? There's probably some code we can use there.

[kravietz]

Django's native CSRF_USE_SESSIONS in 1.11 seems to be replacing the need for this extension.

[moggers87]

@kravietz I was referring to signed cookies, rather than CSRF tokens.