The Cookie Bomb: My First $10K in Bug Bounties
作者在2019-2020年发现名为“Cookie Bomb”的漏洞,利用查询参数直接写入cookie导致自DoS攻击。该漏洞使攻击者注入超大字符串,导致服务器请求失败。作者通过测试多个网站发现该问题普遍存在,并因此获得超过$10,000的奖励。 2025-9-1 05:52:46 Author: infosecwriteups.com(查看原文) 阅读量:16 收藏

Arshad Kazmi

When I started bug bounty hunting in 2019–2020, I came across a vulnerability that was simple to exploit yet surprisingly widespread. I began calling it the Cookie Bomb — and it earned me over $10,000 in my first year.

Where It All Started

While reading public HackerOne reports, I saw a bug where a query parameter value was directly written into a cookie. Since cookies are sent back to the server with every request, an attacker could inject an oversized string into a cookie, and the victim’s browser would keep sending it in every request.

This led to a self-DoS situation:

  • The victim’s browser stored the malicious cookie.
  • Every request to the backend included that cookie.
  • The server hit header size limits → requests failed.
  • The victim’s session was essentially bricked until they cleared cookies.

That idea stuck in my mind: could this be happening on other sites too?

Hunting for Query Parameters That Set Cookies

I started experimenting with query parameters that are commonly used for tracking and analytics, like:

  • gclid (Google Ads)
  • utm_source, utm_medium, utm_campaign (Google Analytics)
  • fbclid (Facebook)
  • dclid

I used Wappalyzer to quickly identify whether a target was using Google or Facebook tracking. Then, I crafted requests with random 4000-character strings (around the max size for cookies).

https://target.com/?gclid=AAAA...[4000 chars]…AAAA

On reload, I checked if the string was stored as a cookie.

  • Sometimes one parameter was enough to trigger the DoS.
  • Other times, I had to combine multiple parameters (gclid + utm_campaign, etc.) to push total cookie size over the limit.
  • In a few cases, I had to repeat the attack across multiple subdomains in order to set several malicious cookies. Only after combining them did the total cookie size exceed the backend’s header size limit and trigger the DoS.

The Cookie Bomb Effect

When successful, here’s what happened:

  1. Victim clicks the malicious link.
  2. Tracking parameter(s) get stored as cookies.
  3. Cookies exceed header size limit.
  4. All further requests fail with errors like 400 Bad Request or 414 URI Too Large.
  5. Victim can no longer use the application until they clear their cookies.

A Few rewarded reports


文章来源: https://infosecwriteups.com/the-cookie-bomb-my-first-10k-in-bug-bounties-f86cb22c37fa?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh