http only cookie

HttpOnly CookieSomething You Don’t Know About HTTP

RDSS Team2012-04

Author

兰七[email protected]

About

RDSSRDSSRDSSRDSSResearch on Domain Specific Solution

We focus on existed specification, solution, production etc.We put our research into practice.

Contents• Cookie Definition• HttpOnly Cookie• Browsers Supporting• Cross-site Scripting• XMLHTTPRequest• Finally

Cookie Definition

6

• A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a piece of data stored by a website within a browser, and then subsequently sent back to the same website by the browser

Refer: http://en.wikipedia.org/wiki/Http_cookie#HttpOnly_cookie

HttpOnly Cookie

Definition • HttpOnly is an additional flag included

in a Set-Cookie HTTP response header.an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests.

Refer: http://en.wikipedia.org/wiki/Http_cookie#HttpOnly_cookie

9

Born• HttpOnly cookies were first

implemented in 2002 by Microsoft Internet Explorer developers for Internet Explorer 6 SP1

Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.3F

10

Feather• restricting access from other non-

HTTP APIs (such as JavaScript).

• restriction mitigates but does not eliminate the threat of session cookie theft via cross-site scripting (XSS).


11

Syntax• Set-Cookie: USER(key)=123(value);

expires=Wednesday, 09-Nov-99 23:12:40 GMT; HttpOnly


12

Set httpOnly Using PHP• Permanently. session.cookie_httponly

= True (in php.iniPHP)

• Setcookie("testcookie", $value, time()+3600, "/", "www.xx.com", 0 , 1);

Refer: http://www.php.net/manual/en/function.setcookie.php

Browsers Supporting

Support• the cookie cannot be accessed

through client side script, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.


NOT Support• The HttpOnly flag will be ignored by

the browser, thus creating a traditional, script accessible cookie.

– document.cookie


Browsers Supporting HttpOnly Cookie

ie6 ie7 ie8 ie9 chrome firefox safari

prevent write yesyesyesyes yesyesyesyes yesyesyesyes yesyesyesyes yesyesyesyes yesyesyesyes yesyesyesyes

prevent read yesyesyesyes yesyesyesyes yesyesyesyes yesyesyesyes yesyesyesyes yesyesyesyes YesYesYesYes


Refer: http://www.browserscope.org/security/test

WebGoat

Refer: http://code.google.com/p/webgoat/

Cross-Site Scripting

Browser• is a server-side vulnerability that is often

created when rendering user input as html.

• e.g. expose sensitive information about users of the web site

Refer: http://msdn.microsoft.com/en-us/library/ms533046.aspx

Example

Refer: http://msdn.microsoft.com/en-us/library/ms533046.aspx

XMLHTTPRequest

• getResponseHeader• getAllResponseHeaders

Refer: http://ha.ckers.org/blog/20070719/firefox-implements-httponly-and-is-vulnerable-to-xmlhttprequest/

Set-Cookie && Set-Cookie2• Set-Cookie defined in RFC 2109• Set-Cookie2 defined in RFC 2965

• one & more key-value

Refer: http://www.ietf.org/rfc/rfc2965.txt

Fixed Browsers• FireFox 3.0.0.6• IE• Safari5 && Chrome12

• FireFox ban all cookie

Test Tool• Robert Hansens' HTTPOnly test page

now includes set-cookie and set-cookie2 checks for XMLHTTPRequest exposure

Refer: http://ha.ckers.org/httponly.cgi.

Test Resultie6 ie7 ie8 ie9 chrome firefox safari

A not not not not httpOnly httpOnly httpOnly httpOnly

not not not not httpOnlyhttpOnlyhttpOnlyhttpOnly

not not not not httpOnly httpOnly httpOnly httpOnly





B not not not not httpOnly httpOnly httpOnly httpOnly




nononono nononono nononono

A - document,cookie A - document,cookie B - xhr apiB - xhr api

Finally

HttpOnly Cookie• Pros• Cons

http only cookie

Technology