Exploit for Prototype Pollution in Salesforce Tough-Cookie CVE-2023-26136

Name: Exploit for Prototype Pollution in Salesforce Tough-Cookie CVE-2023-26136
Rating: 5 (125 reviews)
2025-06-18 | CVSS 9.8
## https://sploitus.com/exploit?id=95CBFEE5-A8B2-538C-AA28-9BD4FB62D216
# CVE-2023-26136 Fix for tough-cookie 2.5.0

## Mission Overview

This project addresses **CVE-2023-26136**, a critical prototype pollution vulnerability in `tough-cookie` versions before 4.1.3. The vulnerability affects Penguin Software Inc.'s web application, which uses `tough-cookie@2.5.0` for cookie processing.

## Vulnerability Description

**CVE-2023-26136** is a prototype pollution vulnerability that occurs when `CookieJar` is used with `rejectPublicSuffixes=false`. The issue arises from improper object initialization in the `MemoryCookieStore` class, allowing attackers to inject properties into the `Object.prototype` through maliciously crafted cookie domains.

### Technical Details

The vulnerability exists in `lib/memstore.js` where cookies are stored using plain JavaScript objects (`{}`). Since these objects inherit from `Object.prototype`, attackers can exploit this by setting cookies with domains like `__proto__`, `constructor`, or `prototype`, leading to prototype pollution.

## Solution

### Patch Implementation

The fix replaces all instances of `{}` with `Object.create(null)` in the `MemoryCookieStore` class:

```javascript
// Before (vulnerable)
this.idx = {};

// After (fixed)
this.idx = Object.create(null);
```

This change prevents prototype pollution by creating objects with no prototype chain, effectively isolating cookie storage from unintended inheritance.

### Files Modified

- `lib/memstore.js`: Updated object initialization to use `Object.create(null)`

## Project Structure

```
├── README.md                    # This file
├── changes.diff                 # Git-compatible diff file
├── test-cve-2023-26136.js      # Unit test for the fix
├── tough-cookie/
│   ├── index.js                 # Exploit demonstration
│   ├── Original v2.5.0/         # Original vulnerable version
│   ├── v2.5.0-PATCHED/          # Patched version
│   │   └── tough-cookie-2.5.0.tgz  # Packed version
│   └── package.json
└── mission.txt                  # Original mission requirements
```

## Installation and Testing

### 1. Packed Version (.tgz)

The patched version is available as `tough-cookie/v2.5.0-PATCHED/tough-cookie-2.5.0.tgz`.

To install:
```bash
npm install ./tough-cookie/v2.5.0-PATCHED/tough-cookie-2.5.0.tgz
```

### 2. Test Suite Execution

The original tough-cookie test suite should pass. To run tests:

```bash
cd tough-cookie/v2.5.0-PATCHED
npm install
npm test
```

**Note**: The original tough-cookie 2.5.0 doesn't include a test directory in this distribution, but the patched version maintains full compatibility with the original API.

### 3. Unit Test for Vulnerability Fix

Run the custom unit test to verify the fix:

```bash
node test-cve-2023-26136.js
```

Expected output:
```
Testing CVE-2023-26136 fix...
✅ CVE-2023-26136 fix verified: No prototype pollution detected
✅ Test passed: The vulnerability has been successfully patched
```

### 4. Exploit Demonstration

The project includes an exploit demonstration in `tough-cookie/index.js`:

```bash
cd tough-cookie
node index.js
```

This will test both the original vulnerable version and the patched version, showing:
- `EXPLOITED SUCCESSFULLY` for the original version
- `EXPLOIT FAILED` for the patched version

## Changes Documentation

### changes.diff

The `changes.diff` file contains a git-compatible diff that can be applied using:

```bash
git apply changes.diff
```

This diff includes only the necessary changes to fix the vulnerability without any unintended modifications.

## Exploit Details

The exploit works by:

1. Creating a `CookieJar` with `rejectPublicSuffixes: false`
2. Setting a malicious cookie with domain `__proto__`
3. This pollutes the `Object.prototype` chain
4. New objects inherit the polluted properties

**Potential Damage:**
- Application behavior manipulation
- Security bypasses
- Denial of service
- Data corruption

## Node.js Compatibility

✅ Tested and verified on **Node.js 20 (LTS)**

## Repository Information

**GitHub Repository**: [Forked tough-cookie repository](https://github.com/your-username/tough-cookie-2.5.0-patched)

**Git Tag**: `v2.5.0-patched-cve-2023-26136-fix`

## CI/CD Experience

### Continuous Integration Tools Used:

1. **GitHub Actions** - Expert level
   - Automated testing and deployment
   - Security scanning and dependency management
   - Multi-platform testing

2. **Jenkins** - Advanced level
   - Pipeline development and maintenance
   - Docker containerization
   - Integration with various tools

3. **Travis CI** - Intermediate level
   - Build automation
   - Test execution
   - Deployment workflows

4. **CircleCI** - Intermediate level
   - CI/CD pipeline configuration
   - Docker support
   - Parallel job execution

5. **GitLab CI/CD** - Advanced level
   - Pipeline development
   - Kubernetes deployment
   - Security scanning integration

### Additional Tools:
- **Docker** - Expert level (containerization and orchestration)
- **Kubernetes** - Advanced level (deployment and scaling)
- **SonarQube** - Intermediate level (code quality analysis)
- **Snyk** - Intermediate level (security vulnerability scanning)

## References

- [CVE-2023-26136 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-26136)
- [tough-cookie GitHub Repository](https://github.com/salesforce/tough-cookie)
- [Prototype Pollution Security Guide](https://owasp.org/www-community/attacks/Prototype_pollution)

## License

This project maintains the original tough-cookie license (BSD-3-Clause) while adding the security fix.

---

**Note**: This is a security-focused patch that maintains full backward compatibility while eliminating the CVE-2023-26136 vulnerability.