Yummy Cookies Across Domains
Vicent Martí (via Jeff Johnson):
As we’ve seen, by overflowing the cookie jar in the web browser, we can craft requests with evil cookies that cannot be blocked server-side. There’s nothing particularly new here: Both Egor’s original proof of concept and the variations exposed here have been known for a while.
As it stands right now, hosting custom user content under a subdomain is simply a security suicide, particularly accentuated by Chrome’s current implementation choices. While Firefox handles more gracefully the distinction between Parent Domain and Subdomain cookies (sending them in more consistent ordering, and separating their storage to prevent overflows from a subdomain), Chrome performs no such distinction and treats session cookies set through JavaScript the same way as
Secure HttpOnly
cookies set from the server, leading to a very enticing playground for tossing attacks.