http only cookie
TRANSCRIPT
About
RDSSRDSSRDSSRDSSResearch on Domain Specific Solution
We focus on existed specification, solution, production etc.We put our research into practice.
Contents• Cookie Definition• HttpOnly Cookie• Browsers Supporting• Cross-site Scripting• XMLHTTPRequest• Finally
6
• A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a piece of data stored by a website within a browser, and then subsequently sent back to the same website by the browser
Refer: http://en.wikipedia.org/wiki/Http_cookie#HttpOnly_cookie
Definition • HttpOnly is an additional flag included
in a Set-Cookie HTTP response header.an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests.
Refer: http://en.wikipedia.org/wiki/Http_cookie#HttpOnly_cookie
9
Born• HttpOnly cookies were first
implemented in 2002 by Microsoft Internet Explorer developers for Internet Explorer 6 SP1
Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.3F
10
Feather• restricting access from other non-
HTTP APIs (such as JavaScript).
• restriction mitigates but does not eliminate the threat of session cookie theft via cross-site scripting (XSS).
Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.3F
11
Syntax• Set-Cookie: USER(key)=123(value);
expires=Wednesday, 09-Nov-99 23:12:40 GMT; HttpOnly
Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.3F
12
Set httpOnly Using PHP• Permanently. session.cookie_httponly
= True (in php.iniPHP)
• Setcookie("testcookie", $value, time()+3600, "/", "www.xx.com", 0 , 1);
Refer: http://www.php.net/manual/en/function.setcookie.php
Support• the cookie cannot be accessed
through client side script, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.
Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.3F
NOT Support• The HttpOnly flag will be ignored by
the browser, thus creating a traditional, script accessible cookie.
– document.cookie
Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.3F
Browsers Supporting HttpOnly Cookie
ie6 ie7 ie8 ie9 chrome firefox safari
prevent write yesyesyesyes yesyesyesyes yesyesyesyes yesyesyesyes yesyesyesyes yesyesyesyes yesyesyesyes
prevent read yesyesyesyes yesyesyesyes yesyesyesyes yesyesyesyes yesyesyesyes yesyesyesyes YesYesYesYes
Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.3F
Browser• is a server-side vulnerability that is often
created when rendering user input as html.
• e.g. expose sensitive information about users of the web site
Refer: http://msdn.microsoft.com/en-us/library/ms533046.aspx
• getResponseHeader• getAllResponseHeaders
Refer: http://ha.ckers.org/blog/20070719/firefox-implements-httponly-and-is-vulnerable-to-xmlhttprequest/
Set-Cookie && Set-Cookie2• Set-Cookie defined in RFC 2109• Set-Cookie2 defined in RFC 2965
• one & more key-value
Refer: http://www.ietf.org/rfc/rfc2965.txt
Test Tool• Robert Hansens' HTTPOnly test page
now includes set-cookie and set-cookie2 checks for XMLHTTPRequest exposure
Refer: http://ha.ckers.org/httponly.cgi.
Test Resultie6 ie7 ie8 ie9 chrome firefox safari
A not not not not httpOnly httpOnly httpOnly httpOnly
not not not not httpOnlyhttpOnlyhttpOnlyhttpOnly
not not not not httpOnly httpOnly httpOnly httpOnly
not not not not httpOnly httpOnly httpOnly httpOnly
not not not not httpOnly httpOnly httpOnly httpOnly
not not not not httpOnly httpOnly httpOnly httpOnly
not not not not httpOnly httpOnly httpOnly httpOnly
B not not not not httpOnly httpOnly httpOnly httpOnly
not not not not httpOnly httpOnly httpOnly httpOnly
not not not not httpOnly httpOnly httpOnly httpOnly
not not not not httpOnly httpOnly httpOnly httpOnly
nononono nononono nononono
A - document,cookie A - document,cookie B - xhr apiB - xhr api