id: cookie-injection

info:
  name: Parameter based cookie injection
  author: pdteam
  severity: info
  reference:
    - https://www.invicti.com/blog/web-security/understanding-cookie-poisoning-attacks/
    - https://docs.imperva.com/bundle/on-premises-knowledgebase-reference-guide/page/cookie_injection.htm
  metadata:
    max-request: 1
  tags: reflected,dast,cookie,injection

variables:
  first: "cookie_injection"

http:
  - pre-condition:
      - type: dsl
        dsl:
          - 'method == "GET"'

    payloads:
      reflection:
        - "{{first}}"

    fuzzing:
      - part: query
        type: postfix
        fuzz:
          - "{{reflection}}"

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)(?i)(^set-cookie.*cookie_injection.*)'
# digest: 4a0a004730450221008e8261dd2cb7d91b396e9113182736c74c9d2bf320de2e64cb7f21012c6a8eff022014e9227dd17849eac076639e72ffe2e84da4bb5b4b01cffb95771968b4f0ad21:922c64590222798bb761d5b6d8e72950