h12oSep 8, 2025

>>
During testing, I discovered that certain server-side frameworks, such as Django and ASP.NET, apply normalization and trimming to cookie names before processing. Specifically, when the server interprets U+2000 as a whitespace character, it removes it, resulting in a cookie name that becomes equivalent to __Host-name.
<<
https://portswigger.net/research/cookie-chaos-how-to-bypass-host-and-secure-cookie-prefixes

このCookie Chaos、Djangoは脆弱なようだが、Railsは名前が挙がっていないので、違っていそう。

#Cookie #HTTPCookie #HTTPクッキー #クッキー #セキュリティ #情報セキュリティ #Django #Rails

Cookie Chaos: How to bypass __Host and __Secure cookie prefixes

Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and serve

PortSwigger Research
Queer Lit CatsNov 29, 2023
Jezebel: Sex. Celebrity. Politics. With Teeth: Privacy Policy https://jezebel.com/privacy-policy-1851059523 #Jezebel #privacyconcernsregardinggoogle #targetedadvertising #technologyinternet #onlineadvertising #googleanalytics #internetprivacy #termsofservice #webanalytics #httpcookie #tracking #privacy #google #p3p
Privacy Policy

Paste Magazine and Jezebel are committed to protecting your personal security and privacy.

Jezebel