Adform Site Tracking HTML Injection and Arbitrary Code Execution Vulnerability

A vulnerability in Adform Site Tracking version 1.1 allows attackers to inject HTML or execute arbitrary code through cookie hijacking. The issue arises when the application requests a JavaScript file from the Adform tracking service, which includes a unique user ID cookie. Attackers can exploit this by injecting malicious JavaScript into the cookie value, which is then executed in the context of the application when the Adform script is loaded.

Impact

Exploitation of this vulnerability could lead to arbitrary JavaScript code execution in the context of the affected application, potentially allowing session hijacking, credential theft, or unauthorized actions.

Reproduction

To reproduce this vulnerability, first, set up a webpage that includes a script tag pointing to the Adform tracking service's cookie endpoint. This script will retrieve the user ID cookie. Next, craft a malicious webpage that includes JavaScript to set a poisoned cookie for adform.net, injecting a malicious JavaScript payload. When the victim visits this page, the poisoned cookie is set in their browser. Finally, when the Adform script is executed in the application, the browser sends the poisoned cookie, and the injected JavaScript payload is executed, demonstrating the vulnerability.

Remediation

To mitigate this vulnerability, sanitize input data before embedding it into JavaScript responses and enable the HttpOnly flag on cookies, which prevents JavaScript access to sensitive cookie values.