Duplicate cookies with different path attributes aren't being saved to the cookie jar

wspires's Avatar


29 Feb, 2016 09:09 PM

On certain applications, such as Wordpress, cookies with identical name/value pairs, but different attributes (i.e. path) aren't being saved to the cookie jar.

An example of this behavior can be observed with Wordpress. Upon authenticating Wordpress sets the following nearly identical cookies that are required for a valid session:

Set-Cookie:       wordpress_f118b1aa61396f42c213c3b68701521a=admin%7C1456937403%7ChTUNEBNPzBYBLFp0YHviXgr1isLHOrNZnxAT4GJamXn%7C17ae8fd968fec56b2701b03bc517f5763388df96f0989b196b97fcd1822c281f; path=/wordpress/wp-content/plugins; httponly
Set-Cookie:       wordpress_f118b1aa61396f42c213c3b68701521a=admin%7C1456937403%7ChTUNEBNPzBYBLFp0YHviXgr1isLHOrNZnxAT4GJamXn%7C17ae8fd968fec56b2701b03bc517f5763388df96f0989b196b97fcd1822c281f; path=/wordpress/wp-admin; httponly
The only difference between the two cookies is the path attribute.

The behavior observed when proxying an Arachni scan with the autologin plugin enabled shows that Arachni successfully authenticates to Wordpress, but requests sent by Arachni post-authentication will not attach the above cookies which results in an unauthenticated scan.

Just to rule out that we weren't hitting a logout link, we've also tried setting "--scope-exclude-pattern=logout" and didn't observe Arachni hitting a logout link during the scan. We've also observed this behavior using a custom login script instead of the autologin plugin.

To further isolate this issue, we've also tried recreating this issue using a simple PHP login form that sets identical cookies with different path attributes and observed the same behavior. When only setting the cookie once, the issue is not observed.

Is there an issue with how Arachni detects duplicate cookies that is causing it to not add the cookie to its cookie jar?

  1. Support Staff 1 Posted by Tasos Laskos on 29 Feb, 2016 09:16 PM

    Tasos Laskos's Avatar

    Based on the code the path is included in the key used to store cookies, so they must be stored properly; something probably goes wrong down the line.

    I'll write a small demo webapp with identical behaviour and investigate.

    Thanks for the heads up.

  2. Support Staff 2 Posted by Tasos Laskos on 29 Feb, 2016 10:43 PM

    Tasos Laskos's Avatar

    Got it, will add some specs to prevent regressions and most likely have a nightly for you by tomorrow.

  3. Support Staff 3 Posted by Tasos Laskos on 01 Mar, 2016 10:39 PM

    Tasos Laskos's Avatar

    Nighlties are up, they should work fine now.

  4. 4 Posted by wspires on 02 Mar, 2016 02:59 PM

    wspires's Avatar

    Thanks for the quick turnaround! Just confirmed this is working now in the nightlies.

  5. Support Staff 5 Posted by Tasos Laskos on 02 Mar, 2016 03:00 PM

    Tasos Laskos's Avatar

    Excellent. :)

  6. Tasos Laskos closed this discussion on 02 Mar, 2016 03:00 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac