Google

Sep 9, 2013

Web (i.e. HTTP) security vulnerabilities - HttpOnly attribute

Q. What do you understand by the term "HttpOnly" attribute in HTTP cookies?
A. Here is a sample PEN test report comment:

"During the application test, it was detected that the tested web application set a session cookie without the "HttpOnly" attribute. Since this session cookie does not contain the "HttpOnly" attribute, it might be accessed by a malicous script injected to the site (i.e XSS), and its value can be stolen. Any information stored in session tokens may be stolen and used later for identity theft or user impersonation"

When you tag a cookie with the "HttpOnly" flag, it tells the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly forbidden. This will works woth  a modern web browser that supports and actually implements "HttpOnly" functionality correctly. The most modern browsers do support the "HttpOnly" flag. This flag will make more difficult to pull off XSS attacks.


Q. What do you understand by the term "Secure" attribute in HTTP cookies?
A. Here is a sample PEN test report comment:

"During the application test, it was detected that the tested web application set a cookie without the "secure" attribute, during an encrypted session. Since this cookie does not contain the "secure" attribute, it might also be sent to the site during an unencrypted session. Any information such as cookies, session tokens or user credentials that are sent to the server as clear text, may be stolen and used later for identity theft or user impersonation."

Remedy: Basically the only required attribute for the cookie is the "name" field. Common optional attributes are: "comment", "domain", "path", etc. The "secure" and "HttpOnly" attributes must be set accordingly in order to prevent a cookie from being sent unencrypted or modified respectively.

Tip: You can use the Firefox plugin Fire cookie to view these attributes.

Labels:

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home