Skip to content
No description, website, or topics provided.
JavaScript
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
images
.gitignore
README.md
index.js
package.json

README.md

azurewebsites-cookie

Overview

  • This project demonstrates an important security flaw on Azure application services (also called Azure-websites) currently live since at least the 24th of November 2019.

  • When the CORS settings are used to limit CSRF on the app service and when a server responds with a set-cookie without the secure flag, like this:

'Set-Cookie': `randomCookie=test; Path=/; HttpOnly; SameSite=Lax`,
  • Azure PaaS is caching the cookie value and provides the value on every future server calls.

  • As a result, whenever the server is called by clients without any local cookie, the server gets the latest set cookie value in the request header as if it was a global variable.

  • This does not occur when the secure flag is present when setting the cookie or if CORS settings are not used. This security flaw is a major concern as cookies are used for session management (session cookie, cookie holding access token, ...).

  • The nodejs App is very simple: https://github.com/jcbaey/azurewebsites-cookie/blob/master/index.js and does not contain any NPM dependencies, pure NodeJS.

  • Node 10 LTS is used with the default Oryx deployment. App service is used here as Paas.

  • Kestrel web server seems to be used (seen in the response header).

  • This issue cannot be reproduced on local nor in a dedicated VM. Only in Azure web-app.

  • As soon as I discovered this bug, I created a severity A case on Monday 2nd of December 2019 to the support.

  • Microsoft has created a public issue on MS Github following my request: https://github.com/Azure/app-service-announcements-discussions/issues/128

Steps to reproduce

  • Create a new web app using NodeJS 10 LTS + Linux

azure-web-app-setup

global-cookie-issue

  • This issue occurs when the CORS settings are used. If you have at least one entry in this page (which is the case by default, you get '*'), the issue happens:

azure-cors-settings

You can’t perform that action at this time.