├── .gitignore
├── api-server
├── index.js
├── package-lock.json
└── package.json
├── malicious-server
├── index.js
├── package-lock.json
└── package.json
└── readme.md
/.gitignore:
--------------------------------------------------------------------------------
1 | node_modules
2 |
--------------------------------------------------------------------------------
/api-server/index.js:
--------------------------------------------------------------------------------
1 | const express = require('express');
2 | const cookieSession = require('cookie-session');
3 | const cors = require('cors');
4 |
5 | const app = express();
6 | app.use(
7 | cors({
8 | origin: 'http://flask.com:3001',
9 | credentials: true,
10 | })
11 | );
12 | app.use(express.json());
13 | app.use(
14 | cookieSession({
15 | signed: false,
16 | httpOnly: false,
17 | })
18 | );
19 |
20 | app.get('/setcookie', (req, res) => {
21 | req.session = { hi: 'there' };
22 | res.send('Cookie set!');
23 | });
24 |
25 | app.get('/api', (req, res) => {
26 | res.send(req.session);
27 | });
28 |
29 | app.listen(3000, () => {
30 | console.log('listening on 3000');
31 | });
32 |
--------------------------------------------------------------------------------
/api-server/package-lock.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "cookies",
3 | "version": "1.0.0",
4 | "lockfileVersion": 1,
5 | "requires": true,
6 | "dependencies": {
7 | "accepts": {
8 | "version": "1.3.7",
9 | "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.7.tgz",
10 | "integrity": "sha512-Il80Qs2WjYlJIBNzNkK6KYqlVMTbZLXgHx2oT0pU/fjRHyEp+PEfEPY0R3WCwAGVOtauxh1hOxNgIf5bv7dQpA==",
11 | "requires": {
12 | "mime-types": "~2.1.24",
13 | "negotiator": "0.6.2"
14 | }
15 | },
16 | "array-flatten": {
17 | "version": "1.1.1",
18 | "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
19 | "integrity": "sha1-ml9pkFGx5wczKPKgCJaLZOopVdI="
20 | },
21 | "body-parser": {
22 | "version": "1.19.0",
23 | "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.19.0.tgz",
24 | "integrity": "sha512-dhEPs72UPbDnAQJ9ZKMNTP6ptJaionhP5cBb541nXPlW60Jepo9RV/a4fX4XWW9CuFNK22krhrj1+rgzifNCsw==",
25 | "requires": {
26 | "bytes": "3.1.0",
27 | "content-type": "~1.0.4",
28 | "debug": "2.6.9",
29 | "depd": "~1.1.2",
30 | "http-errors": "1.7.2",
31 | "iconv-lite": "0.4.24",
32 | "on-finished": "~2.3.0",
33 | "qs": "6.7.0",
34 | "raw-body": "2.4.0",
35 | "type-is": "~1.6.17"
36 | },
37 | "dependencies": {
38 | "depd": {
39 | "version": "1.1.2",
40 | "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
41 | "integrity": "sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak="
42 | }
43 | }
44 | },
45 | "bytes": {
46 | "version": "3.1.0",
47 | "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.0.tgz",
48 | "integrity": "sha512-zauLjrfCG+xvoyaqLoV8bLVXXNGC4JqlxFCutSDWA6fJrTo2ZuvLYTqZ7aHBLZSMOopbzwv8f+wZcVzfVTI2Dg=="
49 | },
50 | "content-disposition": {
51 | "version": "0.5.3",
52 | "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.3.tgz",
53 | "integrity": "sha512-ExO0774ikEObIAEV9kDo50o+79VCUdEB6n6lzKgGwupcVeRlhrj3qGAfwq8G6uBJjkqLrhT0qEYFcWng8z1z0g==",
54 | "requires": {
55 | "safe-buffer": "5.1.2"
56 | }
57 | },
58 | "content-type": {
59 | "version": "1.0.4",
60 | "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.4.tgz",
61 | "integrity": "sha512-hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA=="
62 | },
63 | "cookie": {
64 | "version": "0.4.0",
65 | "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz",
66 | "integrity": "sha512-+Hp8fLp57wnUSt0tY0tHEXh4voZRDnoIrZPqlo3DPiI4y9lwg/jqx+1Om94/W6ZaPDOUbnjOt/99w66zk+l1Xg=="
67 | },
68 | "cookie-session": {
69 | "version": "1.4.0",
70 | "resolved": "https://registry.npmjs.org/cookie-session/-/cookie-session-1.4.0.tgz",
71 | "integrity": "sha512-0hhwD+BUIwMXQraiZP/J7VP2YFzqo6g4WqZlWHtEHQ22t0MeZZrNBSCxC1zcaLAs8ApT3BzAKizx9gW/AP9vNA==",
72 | "requires": {
73 | "cookies": "0.8.0",
74 | "debug": "2.6.9",
75 | "on-headers": "~1.0.2"
76 | }
77 | },
78 | "cookie-signature": {
79 | "version": "1.0.6",
80 | "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
81 | "integrity": "sha1-4wOogrNCzD7oylE6eZmXNNqzriw="
82 | },
83 | "cookies": {
84 | "version": "0.8.0",
85 | "resolved": "https://registry.npmjs.org/cookies/-/cookies-0.8.0.tgz",
86 | "integrity": "sha512-8aPsApQfebXnuI+537McwYsDtjVxGm8gTIzQI3FDW6t5t/DAhERxtnbEPN/8RX+uZthoz4eCOgloXaE5cYyNow==",
87 | "requires": {
88 | "depd": "~2.0.0",
89 | "keygrip": "~1.1.0"
90 | }
91 | },
92 | "cors": {
93 | "version": "2.8.5",
94 | "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.5.tgz",
95 | "integrity": "sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g==",
96 | "requires": {
97 | "object-assign": "^4",
98 | "vary": "^1"
99 | }
100 | },
101 | "debug": {
102 | "version": "2.6.9",
103 | "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
104 | "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
105 | "requires": {
106 | "ms": "2.0.0"
107 | }
108 | },
109 | "depd": {
110 | "version": "2.0.0",
111 | "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz",
112 | "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw=="
113 | },
114 | "destroy": {
115 | "version": "1.0.4",
116 | "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.0.4.tgz",
117 | "integrity": "sha1-l4hXRCxEdJ5CBmE+N5RiBYJqvYA="
118 | },
119 | "ee-first": {
120 | "version": "1.1.1",
121 | "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
122 | "integrity": "sha1-WQxhFWsK4vTwJVcyoViyZrxWsh0="
123 | },
124 | "encodeurl": {
125 | "version": "1.0.2",
126 | "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz",
127 | "integrity": "sha1-rT/0yG7C0CkyL1oCw6mmBslbP1k="
128 | },
129 | "escape-html": {
130 | "version": "1.0.3",
131 | "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
132 | "integrity": "sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg="
133 | },
134 | "etag": {
135 | "version": "1.8.1",
136 | "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
137 | "integrity": "sha1-Qa4u62XvpiJorr/qg6x9eSmbCIc="
138 | },
139 | "express": {
140 | "version": "4.17.1",
141 | "resolved": "https://registry.npmjs.org/express/-/express-4.17.1.tgz",
142 | "integrity": "sha512-mHJ9O79RqluphRrcw2X/GTh3k9tVv8YcoyY4Kkh4WDMUYKRZUq0h1o0w2rrrxBqM7VoeUVqgb27xlEMXTnYt4g==",
143 | "requires": {
144 | "accepts": "~1.3.7",
145 | "array-flatten": "1.1.1",
146 | "body-parser": "1.19.0",
147 | "content-disposition": "0.5.3",
148 | "content-type": "~1.0.4",
149 | "cookie": "0.4.0",
150 | "cookie-signature": "1.0.6",
151 | "debug": "2.6.9",
152 | "depd": "~1.1.2",
153 | "encodeurl": "~1.0.2",
154 | "escape-html": "~1.0.3",
155 | "etag": "~1.8.1",
156 | "finalhandler": "~1.1.2",
157 | "fresh": "0.5.2",
158 | "merge-descriptors": "1.0.1",
159 | "methods": "~1.1.2",
160 | "on-finished": "~2.3.0",
161 | "parseurl": "~1.3.3",
162 | "path-to-regexp": "0.1.7",
163 | "proxy-addr": "~2.0.5",
164 | "qs": "6.7.0",
165 | "range-parser": "~1.2.1",
166 | "safe-buffer": "5.1.2",
167 | "send": "0.17.1",
168 | "serve-static": "1.14.1",
169 | "setprototypeof": "1.1.1",
170 | "statuses": "~1.5.0",
171 | "type-is": "~1.6.18",
172 | "utils-merge": "1.0.1",
173 | "vary": "~1.1.2"
174 | },
175 | "dependencies": {
176 | "depd": {
177 | "version": "1.1.2",
178 | "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
179 | "integrity": "sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak="
180 | }
181 | }
182 | },
183 | "finalhandler": {
184 | "version": "1.1.2",
185 | "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.1.2.tgz",
186 | "integrity": "sha512-aAWcW57uxVNrQZqFXjITpW3sIUQmHGG3qSb9mUah9MgMC4NeWhNOlNjXEYq3HjRAvL6arUviZGGJsBg6z0zsWA==",
187 | "requires": {
188 | "debug": "2.6.9",
189 | "encodeurl": "~1.0.2",
190 | "escape-html": "~1.0.3",
191 | "on-finished": "~2.3.0",
192 | "parseurl": "~1.3.3",
193 | "statuses": "~1.5.0",
194 | "unpipe": "~1.0.0"
195 | }
196 | },
197 | "forwarded": {
198 | "version": "0.1.2",
199 | "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.1.2.tgz",
200 | "integrity": "sha1-mMI9qxF1ZXuMBXPozszZGw/xjIQ="
201 | },
202 | "fresh": {
203 | "version": "0.5.2",
204 | "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
205 | "integrity": "sha1-PYyt2Q2XZWn6g1qx+OSyOhBWBac="
206 | },
207 | "http-errors": {
208 | "version": "1.7.2",
209 | "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.2.tgz",
210 | "integrity": "sha512-uUQBt3H/cSIVfch6i1EuPNy/YsRSOUBXTVfZ+yR7Zjez3qjBz6i9+i4zjNaoqcoFVI4lQJ5plg63TvGfRSDCRg==",
211 | "requires": {
212 | "depd": "~1.1.2",
213 | "inherits": "2.0.3",
214 | "setprototypeof": "1.1.1",
215 | "statuses": ">= 1.5.0 < 2",
216 | "toidentifier": "1.0.0"
217 | },
218 | "dependencies": {
219 | "depd": {
220 | "version": "1.1.2",
221 | "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
222 | "integrity": "sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak="
223 | }
224 | }
225 | },
226 | "iconv-lite": {
227 | "version": "0.4.24",
228 | "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
229 | "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
230 | "requires": {
231 | "safer-buffer": ">= 2.1.2 < 3"
232 | }
233 | },
234 | "inherits": {
235 | "version": "2.0.3",
236 | "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz",
237 | "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4="
238 | },
239 | "ipaddr.js": {
240 | "version": "1.9.1",
241 | "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
242 | "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g=="
243 | },
244 | "keygrip": {
245 | "version": "1.1.0",
246 | "resolved": "https://registry.npmjs.org/keygrip/-/keygrip-1.1.0.tgz",
247 | "integrity": "sha512-iYSchDJ+liQ8iwbSI2QqsQOvqv58eJCEanyJPJi+Khyu8smkcKSFUCbPwzFcL7YVtZ6eONjqRX/38caJ7QjRAQ==",
248 | "requires": {
249 | "tsscmp": "1.0.6"
250 | }
251 | },
252 | "media-typer": {
253 | "version": "0.3.0",
254 | "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
255 | "integrity": "sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g="
256 | },
257 | "merge-descriptors": {
258 | "version": "1.0.1",
259 | "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz",
260 | "integrity": "sha1-sAqqVW3YtEVoFQ7J0blT8/kMu2E="
261 | },
262 | "methods": {
263 | "version": "1.1.2",
264 | "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
265 | "integrity": "sha1-VSmk1nZUE07cxSZmVoNbD4Ua/O4="
266 | },
267 | "mime": {
268 | "version": "1.6.0",
269 | "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
270 | "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg=="
271 | },
272 | "mime-db": {
273 | "version": "1.44.0",
274 | "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.44.0.tgz",
275 | "integrity": "sha512-/NOTfLrsPBVeH7YtFPgsVWveuL+4SjjYxaQ1xtM1KMFj7HdxlBlxeyNLzhyJVx7r4rZGJAZ/6lkKCitSc/Nmpg=="
276 | },
277 | "mime-types": {
278 | "version": "2.1.27",
279 | "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.27.tgz",
280 | "integrity": "sha512-JIhqnCasI9yD+SsmkquHBxTSEuZdQX5BuQnS2Vc7puQQQ+8yiP5AY5uWhpdv4YL4VM5c6iliiYWPgJ/nJQLp7w==",
281 | "requires": {
282 | "mime-db": "1.44.0"
283 | }
284 | },
285 | "ms": {
286 | "version": "2.0.0",
287 | "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
288 | "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
289 | },
290 | "negotiator": {
291 | "version": "0.6.2",
292 | "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.2.tgz",
293 | "integrity": "sha512-hZXc7K2e+PgeI1eDBe/10Ard4ekbfrrqG8Ep+8Jmf4JID2bNg7NvCPOZN+kfF574pFQI7mum2AUqDidoKqcTOw=="
294 | },
295 | "object-assign": {
296 | "version": "4.1.1",
297 | "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
298 | "integrity": "sha1-IQmtx5ZYh8/AXLvUQsrIv7s2CGM="
299 | },
300 | "on-finished": {
301 | "version": "2.3.0",
302 | "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz",
303 | "integrity": "sha1-IPEzZIGwg811M3mSoWlxqi2QaUc=",
304 | "requires": {
305 | "ee-first": "1.1.1"
306 | }
307 | },
308 | "on-headers": {
309 | "version": "1.0.2",
310 | "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz",
311 | "integrity": "sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA=="
312 | },
313 | "parseurl": {
314 | "version": "1.3.3",
315 | "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
316 | "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ=="
317 | },
318 | "path-to-regexp": {
319 | "version": "0.1.7",
320 | "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz",
321 | "integrity": "sha1-32BBeABfUi8V60SQ5yR6G/qmf4w="
322 | },
323 | "proxy-addr": {
324 | "version": "2.0.6",
325 | "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.6.tgz",
326 | "integrity": "sha512-dh/frvCBVmSsDYzw6n926jv974gddhkFPfiN8hPOi30Wax25QZyZEGveluCgliBnqmuM+UJmBErbAUFIoDbjOw==",
327 | "requires": {
328 | "forwarded": "~0.1.2",
329 | "ipaddr.js": "1.9.1"
330 | }
331 | },
332 | "qs": {
333 | "version": "6.7.0",
334 | "resolved": "https://registry.npmjs.org/qs/-/qs-6.7.0.tgz",
335 | "integrity": "sha512-VCdBRNFTX1fyE7Nb6FYoURo/SPe62QCaAyzJvUjwRaIsc+NePBEniHlvxFmmX56+HZphIGtV0XeCirBtpDrTyQ=="
336 | },
337 | "range-parser": {
338 | "version": "1.2.1",
339 | "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
340 | "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg=="
341 | },
342 | "raw-body": {
343 | "version": "2.4.0",
344 | "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.4.0.tgz",
345 | "integrity": "sha512-4Oz8DUIwdvoa5qMJelxipzi/iJIi40O5cGV1wNYp5hvZP8ZN0T+jiNkL0QepXs+EsQ9XJ8ipEDoiH70ySUJP3Q==",
346 | "requires": {
347 | "bytes": "3.1.0",
348 | "http-errors": "1.7.2",
349 | "iconv-lite": "0.4.24",
350 | "unpipe": "1.0.0"
351 | }
352 | },
353 | "safe-buffer": {
354 | "version": "5.1.2",
355 | "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
356 | "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
357 | },
358 | "safer-buffer": {
359 | "version": "2.1.2",
360 | "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
361 | "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
362 | },
363 | "send": {
364 | "version": "0.17.1",
365 | "resolved": "https://registry.npmjs.org/send/-/send-0.17.1.tgz",
366 | "integrity": "sha512-BsVKsiGcQMFwT8UxypobUKyv7irCNRHk1T0G680vk88yf6LBByGcZJOTJCrTP2xVN6yI+XjPJcNuE3V4fT9sAg==",
367 | "requires": {
368 | "debug": "2.6.9",
369 | "depd": "~1.1.2",
370 | "destroy": "~1.0.4",
371 | "encodeurl": "~1.0.2",
372 | "escape-html": "~1.0.3",
373 | "etag": "~1.8.1",
374 | "fresh": "0.5.2",
375 | "http-errors": "~1.7.2",
376 | "mime": "1.6.0",
377 | "ms": "2.1.1",
378 | "on-finished": "~2.3.0",
379 | "range-parser": "~1.2.1",
380 | "statuses": "~1.5.0"
381 | },
382 | "dependencies": {
383 | "depd": {
384 | "version": "1.1.2",
385 | "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
386 | "integrity": "sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak="
387 | },
388 | "ms": {
389 | "version": "2.1.1",
390 | "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.1.tgz",
391 | "integrity": "sha512-tgp+dl5cGk28utYktBsrFqA7HKgrhgPsg6Z/EfhWI4gl1Hwq8B/GmY/0oXZ6nF8hDVesS/FpnYaD/kOWhYQvyg=="
392 | }
393 | }
394 | },
395 | "serve-static": {
396 | "version": "1.14.1",
397 | "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.14.1.tgz",
398 | "integrity": "sha512-JMrvUwE54emCYWlTI+hGrGv5I8dEwmco/00EvkzIIsR7MqrHonbD9pO2MOfFnpFntl7ecpZs+3mW+XbQZu9QCg==",
399 | "requires": {
400 | "encodeurl": "~1.0.2",
401 | "escape-html": "~1.0.3",
402 | "parseurl": "~1.3.3",
403 | "send": "0.17.1"
404 | }
405 | },
406 | "setprototypeof": {
407 | "version": "1.1.1",
408 | "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.1.tgz",
409 | "integrity": "sha512-JvdAWfbXeIGaZ9cILp38HntZSFSo3mWg6xGcJJsd+d4aRMOqauag1C63dJfDw7OaMYwEbHMOxEZ1lqVRYP2OAw=="
410 | },
411 | "statuses": {
412 | "version": "1.5.0",
413 | "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz",
414 | "integrity": "sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow="
415 | },
416 | "toidentifier": {
417 | "version": "1.0.0",
418 | "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.0.tgz",
419 | "integrity": "sha512-yaOH/Pk/VEhBWWTlhI+qXxDFXlejDGcQipMlyxda9nthulaxLZUNcUqFxokp0vcYnvteJln5FNQDRrxj3YcbVw=="
420 | },
421 | "tsscmp": {
422 | "version": "1.0.6",
423 | "resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz",
424 | "integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA=="
425 | },
426 | "type-is": {
427 | "version": "1.6.18",
428 | "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
429 | "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
430 | "requires": {
431 | "media-typer": "0.3.0",
432 | "mime-types": "~2.1.24"
433 | }
434 | },
435 | "unpipe": {
436 | "version": "1.0.0",
437 | "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
438 | "integrity": "sha1-sr9O6FFKrmFltIF4KdIbLvSZBOw="
439 | },
440 | "utils-merge": {
441 | "version": "1.0.1",
442 | "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
443 | "integrity": "sha1-n5VxD1CiZ5R7LMwSR0HBAoQn5xM="
444 | },
445 | "vary": {
446 | "version": "1.1.2",
447 | "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
448 | "integrity": "sha1-IpnwLG3tMNSllhsLn3RSShj2NPw="
449 | }
450 | }
451 | }
452 |
--------------------------------------------------------------------------------
/api-server/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "cookies",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "scripts": {
7 | "test": "echo \"Error: no test specified\" && exit 1"
8 | },
9 | "keywords": [],
10 | "author": "",
11 | "license": "ISC",
12 | "dependencies": {
13 | "cookie-session": "^1.4.0",
14 | "cors": "^2.8.5",
15 | "express": "^4.17.1"
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/malicious-server/index.js:
--------------------------------------------------------------------------------
1 | const express = require('express');
2 | const cookieSession = require('cookie-session');
3 |
4 | const app = express();
5 | app.use(express.json());
6 | app.use(
7 | cookieSession({
8 | signed: false,
9 | })
10 | );
11 |
12 | app.get('/', (req, res) => {
13 | res.send(`
14 |
15 |
16 |
17 |
18 |
19 |
20 |
30 |
31 |
32 | `);
33 | });
34 |
35 | app.listen(3001, () => {
36 | console.log('listening on 3001');
37 | });
38 |
--------------------------------------------------------------------------------
/malicious-server/package-lock.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "cookies",
3 | "version": "1.0.0",
4 | "lockfileVersion": 1,
5 | "requires": true,
6 | "dependencies": {
7 | "accepts": {
8 | "version": "1.3.7",
9 | "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.7.tgz",
10 | "integrity": "sha512-Il80Qs2WjYlJIBNzNkK6KYqlVMTbZLXgHx2oT0pU/fjRHyEp+PEfEPY0R3WCwAGVOtauxh1hOxNgIf5bv7dQpA==",
11 | "requires": {
12 | "mime-types": "~2.1.24",
13 | "negotiator": "0.6.2"
14 | }
15 | },
16 | "array-flatten": {
17 | "version": "1.1.1",
18 | "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
19 | "integrity": "sha1-ml9pkFGx5wczKPKgCJaLZOopVdI="
20 | },
21 | "body-parser": {
22 | "version": "1.19.0",
23 | "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.19.0.tgz",
24 | "integrity": "sha512-dhEPs72UPbDnAQJ9ZKMNTP6ptJaionhP5cBb541nXPlW60Jepo9RV/a4fX4XWW9CuFNK22krhrj1+rgzifNCsw==",
25 | "requires": {
26 | "bytes": "3.1.0",
27 | "content-type": "~1.0.4",
28 | "debug": "2.6.9",
29 | "depd": "~1.1.2",
30 | "http-errors": "1.7.2",
31 | "iconv-lite": "0.4.24",
32 | "on-finished": "~2.3.0",
33 | "qs": "6.7.0",
34 | "raw-body": "2.4.0",
35 | "type-is": "~1.6.17"
36 | },
37 | "dependencies": {
38 | "depd": {
39 | "version": "1.1.2",
40 | "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
41 | "integrity": "sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak="
42 | }
43 | }
44 | },
45 | "bytes": {
46 | "version": "3.1.0",
47 | "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.0.tgz",
48 | "integrity": "sha512-zauLjrfCG+xvoyaqLoV8bLVXXNGC4JqlxFCutSDWA6fJrTo2ZuvLYTqZ7aHBLZSMOopbzwv8f+wZcVzfVTI2Dg=="
49 | },
50 | "content-disposition": {
51 | "version": "0.5.3",
52 | "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.3.tgz",
53 | "integrity": "sha512-ExO0774ikEObIAEV9kDo50o+79VCUdEB6n6lzKgGwupcVeRlhrj3qGAfwq8G6uBJjkqLrhT0qEYFcWng8z1z0g==",
54 | "requires": {
55 | "safe-buffer": "5.1.2"
56 | }
57 | },
58 | "content-type": {
59 | "version": "1.0.4",
60 | "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.4.tgz",
61 | "integrity": "sha512-hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA=="
62 | },
63 | "cookie": {
64 | "version": "0.4.0",
65 | "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz",
66 | "integrity": "sha512-+Hp8fLp57wnUSt0tY0tHEXh4voZRDnoIrZPqlo3DPiI4y9lwg/jqx+1Om94/W6ZaPDOUbnjOt/99w66zk+l1Xg=="
67 | },
68 | "cookie-session": {
69 | "version": "1.4.0",
70 | "resolved": "https://registry.npmjs.org/cookie-session/-/cookie-session-1.4.0.tgz",
71 | "integrity": "sha512-0hhwD+BUIwMXQraiZP/J7VP2YFzqo6g4WqZlWHtEHQ22t0MeZZrNBSCxC1zcaLAs8ApT3BzAKizx9gW/AP9vNA==",
72 | "requires": {
73 | "cookies": "0.8.0",
74 | "debug": "2.6.9",
75 | "on-headers": "~1.0.2"
76 | }
77 | },
78 | "cookie-signature": {
79 | "version": "1.0.6",
80 | "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
81 | "integrity": "sha1-4wOogrNCzD7oylE6eZmXNNqzriw="
82 | },
83 | "cookies": {
84 | "version": "0.8.0",
85 | "resolved": "https://registry.npmjs.org/cookies/-/cookies-0.8.0.tgz",
86 | "integrity": "sha512-8aPsApQfebXnuI+537McwYsDtjVxGm8gTIzQI3FDW6t5t/DAhERxtnbEPN/8RX+uZthoz4eCOgloXaE5cYyNow==",
87 | "requires": {
88 | "depd": "~2.0.0",
89 | "keygrip": "~1.1.0"
90 | }
91 | },
92 | "debug": {
93 | "version": "2.6.9",
94 | "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
95 | "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
96 | "requires": {
97 | "ms": "2.0.0"
98 | }
99 | },
100 | "depd": {
101 | "version": "2.0.0",
102 | "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz",
103 | "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw=="
104 | },
105 | "destroy": {
106 | "version": "1.0.4",
107 | "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.0.4.tgz",
108 | "integrity": "sha1-l4hXRCxEdJ5CBmE+N5RiBYJqvYA="
109 | },
110 | "ee-first": {
111 | "version": "1.1.1",
112 | "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
113 | "integrity": "sha1-WQxhFWsK4vTwJVcyoViyZrxWsh0="
114 | },
115 | "encodeurl": {
116 | "version": "1.0.2",
117 | "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz",
118 | "integrity": "sha1-rT/0yG7C0CkyL1oCw6mmBslbP1k="
119 | },
120 | "escape-html": {
121 | "version": "1.0.3",
122 | "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
123 | "integrity": "sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg="
124 | },
125 | "etag": {
126 | "version": "1.8.1",
127 | "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
128 | "integrity": "sha1-Qa4u62XvpiJorr/qg6x9eSmbCIc="
129 | },
130 | "express": {
131 | "version": "4.17.1",
132 | "resolved": "https://registry.npmjs.org/express/-/express-4.17.1.tgz",
133 | "integrity": "sha512-mHJ9O79RqluphRrcw2X/GTh3k9tVv8YcoyY4Kkh4WDMUYKRZUq0h1o0w2rrrxBqM7VoeUVqgb27xlEMXTnYt4g==",
134 | "requires": {
135 | "accepts": "~1.3.7",
136 | "array-flatten": "1.1.1",
137 | "body-parser": "1.19.0",
138 | "content-disposition": "0.5.3",
139 | "content-type": "~1.0.4",
140 | "cookie": "0.4.0",
141 | "cookie-signature": "1.0.6",
142 | "debug": "2.6.9",
143 | "depd": "~1.1.2",
144 | "encodeurl": "~1.0.2",
145 | "escape-html": "~1.0.3",
146 | "etag": "~1.8.1",
147 | "finalhandler": "~1.1.2",
148 | "fresh": "0.5.2",
149 | "merge-descriptors": "1.0.1",
150 | "methods": "~1.1.2",
151 | "on-finished": "~2.3.0",
152 | "parseurl": "~1.3.3",
153 | "path-to-regexp": "0.1.7",
154 | "proxy-addr": "~2.0.5",
155 | "qs": "6.7.0",
156 | "range-parser": "~1.2.1",
157 | "safe-buffer": "5.1.2",
158 | "send": "0.17.1",
159 | "serve-static": "1.14.1",
160 | "setprototypeof": "1.1.1",
161 | "statuses": "~1.5.0",
162 | "type-is": "~1.6.18",
163 | "utils-merge": "1.0.1",
164 | "vary": "~1.1.2"
165 | },
166 | "dependencies": {
167 | "depd": {
168 | "version": "1.1.2",
169 | "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
170 | "integrity": "sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak="
171 | }
172 | }
173 | },
174 | "finalhandler": {
175 | "version": "1.1.2",
176 | "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.1.2.tgz",
177 | "integrity": "sha512-aAWcW57uxVNrQZqFXjITpW3sIUQmHGG3qSb9mUah9MgMC4NeWhNOlNjXEYq3HjRAvL6arUviZGGJsBg6z0zsWA==",
178 | "requires": {
179 | "debug": "2.6.9",
180 | "encodeurl": "~1.0.2",
181 | "escape-html": "~1.0.3",
182 | "on-finished": "~2.3.0",
183 | "parseurl": "~1.3.3",
184 | "statuses": "~1.5.0",
185 | "unpipe": "~1.0.0"
186 | }
187 | },
188 | "forwarded": {
189 | "version": "0.1.2",
190 | "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.1.2.tgz",
191 | "integrity": "sha1-mMI9qxF1ZXuMBXPozszZGw/xjIQ="
192 | },
193 | "fresh": {
194 | "version": "0.5.2",
195 | "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
196 | "integrity": "sha1-PYyt2Q2XZWn6g1qx+OSyOhBWBac="
197 | },
198 | "http-errors": {
199 | "version": "1.7.2",
200 | "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.2.tgz",
201 | "integrity": "sha512-uUQBt3H/cSIVfch6i1EuPNy/YsRSOUBXTVfZ+yR7Zjez3qjBz6i9+i4zjNaoqcoFVI4lQJ5plg63TvGfRSDCRg==",
202 | "requires": {
203 | "depd": "~1.1.2",
204 | "inherits": "2.0.3",
205 | "setprototypeof": "1.1.1",
206 | "statuses": ">= 1.5.0 < 2",
207 | "toidentifier": "1.0.0"
208 | },
209 | "dependencies": {
210 | "depd": {
211 | "version": "1.1.2",
212 | "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
213 | "integrity": "sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak="
214 | }
215 | }
216 | },
217 | "iconv-lite": {
218 | "version": "0.4.24",
219 | "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
220 | "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
221 | "requires": {
222 | "safer-buffer": ">= 2.1.2 < 3"
223 | }
224 | },
225 | "inherits": {
226 | "version": "2.0.3",
227 | "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz",
228 | "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4="
229 | },
230 | "ipaddr.js": {
231 | "version": "1.9.1",
232 | "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
233 | "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g=="
234 | },
235 | "keygrip": {
236 | "version": "1.1.0",
237 | "resolved": "https://registry.npmjs.org/keygrip/-/keygrip-1.1.0.tgz",
238 | "integrity": "sha512-iYSchDJ+liQ8iwbSI2QqsQOvqv58eJCEanyJPJi+Khyu8smkcKSFUCbPwzFcL7YVtZ6eONjqRX/38caJ7QjRAQ==",
239 | "requires": {
240 | "tsscmp": "1.0.6"
241 | }
242 | },
243 | "media-typer": {
244 | "version": "0.3.0",
245 | "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
246 | "integrity": "sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g="
247 | },
248 | "merge-descriptors": {
249 | "version": "1.0.1",
250 | "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz",
251 | "integrity": "sha1-sAqqVW3YtEVoFQ7J0blT8/kMu2E="
252 | },
253 | "methods": {
254 | "version": "1.1.2",
255 | "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
256 | "integrity": "sha1-VSmk1nZUE07cxSZmVoNbD4Ua/O4="
257 | },
258 | "mime": {
259 | "version": "1.6.0",
260 | "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
261 | "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg=="
262 | },
263 | "mime-db": {
264 | "version": "1.44.0",
265 | "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.44.0.tgz",
266 | "integrity": "sha512-/NOTfLrsPBVeH7YtFPgsVWveuL+4SjjYxaQ1xtM1KMFj7HdxlBlxeyNLzhyJVx7r4rZGJAZ/6lkKCitSc/Nmpg=="
267 | },
268 | "mime-types": {
269 | "version": "2.1.27",
270 | "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.27.tgz",
271 | "integrity": "sha512-JIhqnCasI9yD+SsmkquHBxTSEuZdQX5BuQnS2Vc7puQQQ+8yiP5AY5uWhpdv4YL4VM5c6iliiYWPgJ/nJQLp7w==",
272 | "requires": {
273 | "mime-db": "1.44.0"
274 | }
275 | },
276 | "ms": {
277 | "version": "2.0.0",
278 | "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
279 | "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
280 | },
281 | "negotiator": {
282 | "version": "0.6.2",
283 | "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.2.tgz",
284 | "integrity": "sha512-hZXc7K2e+PgeI1eDBe/10Ard4ekbfrrqG8Ep+8Jmf4JID2bNg7NvCPOZN+kfF574pFQI7mum2AUqDidoKqcTOw=="
285 | },
286 | "on-finished": {
287 | "version": "2.3.0",
288 | "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz",
289 | "integrity": "sha1-IPEzZIGwg811M3mSoWlxqi2QaUc=",
290 | "requires": {
291 | "ee-first": "1.1.1"
292 | }
293 | },
294 | "on-headers": {
295 | "version": "1.0.2",
296 | "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz",
297 | "integrity": "sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA=="
298 | },
299 | "parseurl": {
300 | "version": "1.3.3",
301 | "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
302 | "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ=="
303 | },
304 | "path-to-regexp": {
305 | "version": "0.1.7",
306 | "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz",
307 | "integrity": "sha1-32BBeABfUi8V60SQ5yR6G/qmf4w="
308 | },
309 | "proxy-addr": {
310 | "version": "2.0.6",
311 | "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.6.tgz",
312 | "integrity": "sha512-dh/frvCBVmSsDYzw6n926jv974gddhkFPfiN8hPOi30Wax25QZyZEGveluCgliBnqmuM+UJmBErbAUFIoDbjOw==",
313 | "requires": {
314 | "forwarded": "~0.1.2",
315 | "ipaddr.js": "1.9.1"
316 | }
317 | },
318 | "qs": {
319 | "version": "6.7.0",
320 | "resolved": "https://registry.npmjs.org/qs/-/qs-6.7.0.tgz",
321 | "integrity": "sha512-VCdBRNFTX1fyE7Nb6FYoURo/SPe62QCaAyzJvUjwRaIsc+NePBEniHlvxFmmX56+HZphIGtV0XeCirBtpDrTyQ=="
322 | },
323 | "range-parser": {
324 | "version": "1.2.1",
325 | "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
326 | "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg=="
327 | },
328 | "raw-body": {
329 | "version": "2.4.0",
330 | "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.4.0.tgz",
331 | "integrity": "sha512-4Oz8DUIwdvoa5qMJelxipzi/iJIi40O5cGV1wNYp5hvZP8ZN0T+jiNkL0QepXs+EsQ9XJ8ipEDoiH70ySUJP3Q==",
332 | "requires": {
333 | "bytes": "3.1.0",
334 | "http-errors": "1.7.2",
335 | "iconv-lite": "0.4.24",
336 | "unpipe": "1.0.0"
337 | }
338 | },
339 | "safe-buffer": {
340 | "version": "5.1.2",
341 | "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
342 | "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
343 | },
344 | "safer-buffer": {
345 | "version": "2.1.2",
346 | "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
347 | "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
348 | },
349 | "send": {
350 | "version": "0.17.1",
351 | "resolved": "https://registry.npmjs.org/send/-/send-0.17.1.tgz",
352 | "integrity": "sha512-BsVKsiGcQMFwT8UxypobUKyv7irCNRHk1T0G680vk88yf6LBByGcZJOTJCrTP2xVN6yI+XjPJcNuE3V4fT9sAg==",
353 | "requires": {
354 | "debug": "2.6.9",
355 | "depd": "~1.1.2",
356 | "destroy": "~1.0.4",
357 | "encodeurl": "~1.0.2",
358 | "escape-html": "~1.0.3",
359 | "etag": "~1.8.1",
360 | "fresh": "0.5.2",
361 | "http-errors": "~1.7.2",
362 | "mime": "1.6.0",
363 | "ms": "2.1.1",
364 | "on-finished": "~2.3.0",
365 | "range-parser": "~1.2.1",
366 | "statuses": "~1.5.0"
367 | },
368 | "dependencies": {
369 | "depd": {
370 | "version": "1.1.2",
371 | "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
372 | "integrity": "sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak="
373 | },
374 | "ms": {
375 | "version": "2.1.1",
376 | "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.1.tgz",
377 | "integrity": "sha512-tgp+dl5cGk28utYktBsrFqA7HKgrhgPsg6Z/EfhWI4gl1Hwq8B/GmY/0oXZ6nF8hDVesS/FpnYaD/kOWhYQvyg=="
378 | }
379 | }
380 | },
381 | "serve-static": {
382 | "version": "1.14.1",
383 | "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.14.1.tgz",
384 | "integrity": "sha512-JMrvUwE54emCYWlTI+hGrGv5I8dEwmco/00EvkzIIsR7MqrHonbD9pO2MOfFnpFntl7ecpZs+3mW+XbQZu9QCg==",
385 | "requires": {
386 | "encodeurl": "~1.0.2",
387 | "escape-html": "~1.0.3",
388 | "parseurl": "~1.3.3",
389 | "send": "0.17.1"
390 | }
391 | },
392 | "setprototypeof": {
393 | "version": "1.1.1",
394 | "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.1.tgz",
395 | "integrity": "sha512-JvdAWfbXeIGaZ9cILp38HntZSFSo3mWg6xGcJJsd+d4aRMOqauag1C63dJfDw7OaMYwEbHMOxEZ1lqVRYP2OAw=="
396 | },
397 | "statuses": {
398 | "version": "1.5.0",
399 | "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz",
400 | "integrity": "sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow="
401 | },
402 | "toidentifier": {
403 | "version": "1.0.0",
404 | "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.0.tgz",
405 | "integrity": "sha512-yaOH/Pk/VEhBWWTlhI+qXxDFXlejDGcQipMlyxda9nthulaxLZUNcUqFxokp0vcYnvteJln5FNQDRrxj3YcbVw=="
406 | },
407 | "tsscmp": {
408 | "version": "1.0.6",
409 | "resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz",
410 | "integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA=="
411 | },
412 | "type-is": {
413 | "version": "1.6.18",
414 | "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
415 | "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
416 | "requires": {
417 | "media-typer": "0.3.0",
418 | "mime-types": "~2.1.24"
419 | }
420 | },
421 | "unpipe": {
422 | "version": "1.0.0",
423 | "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
424 | "integrity": "sha1-sr9O6FFKrmFltIF4KdIbLvSZBOw="
425 | },
426 | "utils-merge": {
427 | "version": "1.0.1",
428 | "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
429 | "integrity": "sha1-n5VxD1CiZ5R7LMwSR0HBAoQn5xM="
430 | },
431 | "vary": {
432 | "version": "1.1.2",
433 | "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
434 | "integrity": "sha1-IpnwLG3tMNSllhsLn3RSShj2NPw="
435 | }
436 | }
437 | }
438 |
--------------------------------------------------------------------------------
/malicious-server/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "cookies",
3 | "version": "1.0.0",
4 | "description": "",
5 | "main": "index.js",
6 | "scripts": {
7 | "test": "echo \"Error: no test specified\" && exit 1"
8 | },
9 | "keywords": [],
10 | "author": "",
11 | "license": "ISC",
12 | "dependencies": {
13 | "cookie-session": "^1.4.0",
14 | "express": "^4.17.1"
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
1 | ### Example of cross origin cookies
2 |
3 | In `api-server/index.js`, update `origin` to a domain listed in your `/etc/hosts` file. Leave the port of ':3001' on there.
4 |
5 | Start both servers, then navigate to `http://localhost:3000/setcookie`. This will set a cookie on `localhost`.
6 |
7 | Next, navigate to `http://:3001` and open your console. You will see a log of `{ hi: 'there' }`. This indicates that we were able to make a cross domain request including cookies. However, the info in that cookie is not accessible while at `http://:3001`! In addition, this only works if the 'origin' listed in `api-server/index.js` is explicitly set to `http://:3001` (not likely in the real world).
8 |
9 | To represent reality, change the `origin` property to any other value, then reload `http://:3001`. The request will now fail.
10 |
--------------------------------------------------------------------------------