Menu
Reading this blog post about HttpOnly cookies made me start thinking, is it possible for an HttpOnly cookie to be obtained through any form of XSS? Jeff mentions that it "raises the bar considerably" but makes it sound like it doesn't completely protect against XSS.
Aside from the fact that not all browser support this feature properly, how could a hacker obtain a user's cookies if they are HttpOnly?
I can't think of any way to make an HttpOnly cookie send itself to another site or be read by script, so it seems like this is a safe security feature, but I'm always amazed at how easily some people can work around many security layers.
In the environment I work in, we use IE exclusively so other browsers aren't a concern. I'm looking specifically for other ways that this could become an issue that don't rely on browser specific flaws.
731
An HttpOnly cookie cannot be accessed by client-side APIs, such as JavaScript. This restriction eliminates the threat of cookie theft via cross-site scripting (XSS). If the browser allowed you to access it then it would be a defect in the browser.
If an attacker is able to inject a Cross-site Scripting (XSS) payload on the web application, the malicious script could steal the user's cookie and send it to the attacker. The attacker can then use the cookie to impersonate the user in the web application.
Because cookie data (and session IDs) can be stolen using Cross-Site Scripting (XSS), it is important to set cookies as being HTTPOnly. This setting makes cookies unavailable to JavaScript and prevents their theft using XSS.
Cross-site scripting (XSS) attacks are often aimed at stealing session cookies. In such an attack, the cookie value is accessed by a client-side script using JavaScript ( document.
First, as some others mentioned, XSS can allow other payloads, not just cookie stealing.
But, is there anyway to steal httpOnly cookies, with XSS? (ignoring the question of httpOnly support?)....
The answer is: Yes.
A subset of XSS is known as Cross-Site Tracing (XST) (or go to the original research paper). This attack has the XSS payload send an HTTP TRACE request to the web server (or proxy, forward OR reverse), which will echo back to the client the full request - INCLUDING YOUR COOKIES, httpOnly or not. The XSS payload can then parse the returned info, and retrieve those delicious cookies...
Btw, yet another "subset" (kinda) of XSS, involves injecting payload into response headers. Though similar, this isnt exactly XSS, and Header Injection can even lead to HTTP Response Splitting (HRS) - which is much more powerful, allows near complete control of other clients, cache poisoning, and of course access to cookies, if so wished.
104
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
