mirror of
https://github.com/moonD4rk/HackBrowserData.git
synced 2026-07-06 21:37:47 +02:00
fix: strip host_key prefix from Chrome 130+ cookie values (#526)
* fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie values before encryption to prevent cross-domain replay attacks. After decryption, this 32-byte hash must be verified and stripped. Changes: - Add stripCookieHash() that verifies SHA256(host_key) and strips the prefix only when it matches (auto-compatible with older Chrome) - Fix edge case: cookies with empty values (exactly 32 bytes = hash only) - Add decrypt_test.go with v10 round-trip encryption/decryption test - Add stripCookieHash test cases for v24+, older Chrome, empty values, short values, and host mismatch scenarios Closes #524 * fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie values before encryption to prevent cross-domain replay attacks. After decryption, this 32-byte hash must be verified and stripped. Changes: - Add stripCookieHash() that verifies SHA256(host_key) and strips the prefix only when it matches (auto-compatible with older Chrome) - Fix edge case: cookies with empty values (exactly 32 bytes = hash only) - Add table-driven decrypt tests for v10/v20/DPAPI per platform - Add Windows-specific DPAPI round-trip test using CryptProtectData - Add shared testAESKey constant in testutil_test.go - Add stripCookieHash tests for v24+, older Chrome, empty values, short values, and host mismatch scenarios - Extend lint CI to run on ubuntu, windows, and macos Closes #524 * fix: remove DPAPI test from darwin/linux (returns nil on Linux) DecryptWithDPAPI returns nil error on Linux (silent no-op) but error on macOS, causing the test to fail on Ubuntu CI. DPAPI round-trip testing is properly covered in decrypt_windows_test.go. * fix: resolve Windows CI lint errors exposed by multi-platform lint - Add _ = before windows.CloseHandle calls to satisfy errcheck - Add build tag to params.go (only used on macOS/Linux, not Windows) * fix: add .gitattributes to force LF and refactor cookie tests - Add .gitattributes with `* text=auto eol=lf` to prevent CRLF conversion on Windows CI causing gofumpt false positives - Add .gitattributes to .gitignore whitelist - Refactor stripCookieHash tests into table-driven style * fix: address Copilot review on decrypt tests - Assert error on wrong key instead of ignoring it (AES-CBC returns padding error, not silent empty result) - Guard empty plaintext in encryptWithDPAPI to prevent nil pointer panic - Convert uint32 to int for make/copy slice bounds in Windows test * fix: assert specific error message in wrong key decrypt test
This commit is contained in:
@@ -1,6 +1,8 @@
|
||||
package chromium
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/sha256"
|
||||
"database/sql"
|
||||
"sort"
|
||||
|
||||
@@ -30,6 +32,7 @@ func extractCookies(masterKey []byte, path string) ([]types.CookieEntry, error)
|
||||
}
|
||||
|
||||
value, _ := decryptValue(masterKey, encryptedValue)
|
||||
value = stripCookieHash(value, host)
|
||||
return types.CookieEntry{
|
||||
Name: name,
|
||||
Host: host,
|
||||
@@ -50,3 +53,19 @@ func extractCookies(masterKey []byte, path string) ([]types.CookieEntry, error)
|
||||
})
|
||||
return cookies, nil
|
||||
}
|
||||
|
||||
// stripCookieHash removes the SHA256(host_key) prefix from a decrypted cookie value.
|
||||
// Chrome 130+ (Cookie DB schema version 24) prepends SHA256(domain) to the cookie
|
||||
// value before encryption to prevent cross-domain cookie replay attacks.
|
||||
// If the first 32 bytes don't match SHA256(hostKey), the value is returned unchanged,
|
||||
// which handles both older Chrome versions and tampered data.
|
||||
func stripCookieHash(value []byte, hostKey string) []byte {
|
||||
if len(value) < sha256.Size {
|
||||
return value
|
||||
}
|
||||
hash := sha256.Sum256([]byte(hostKey))
|
||||
if bytes.Equal(value[:sha256.Size], hash[:]) {
|
||||
return value[sha256.Size:] // empty slice if value was exactly 32 bytes
|
||||
}
|
||||
return value
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user