6. • A cookie, also known as an HTTP
cookie, web cookie, or browser
cookie, is a piece of data stored by a
website within a browser, and then
subsequently sent back to the same
website by the browser
Refer: http://en.wikipedia.org/wiki/Http_cookie#HttpOnly_cookie
6
8. Definition
• HttpOnly is an additional flag included
in a Set-Cookie HTTP response
header.an HttpOnly session cookie
will be used only when transmitting
HTTP (or HTTPS) requests.
Refer: http://en.wikipedia.org/wiki/Http_cookie#HttpOnly_cookie
9. Born
• HttpOnly cookies were first
implemented in 2002 by Microsoft
Internet Explorer developers for
Internet Explorer 6 SP1
Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.
9
3F
10. Feather
• restricting access from other non-
HTTP APIs (such as JavaScript).
• restriction mitigates but does not
eliminate the threat of session cookie
theft via cross-site scripting (XSS).
Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.
10
3F
14. Support
• the cookie cannot be accessed
through client side script, even if a
cross-site scripting (XSS) flaw exists,
and a user accidentally accesses a
link that exploits this flaw, the browser
(primarily Internet Explorer) will not
reveal the cookie to a third party.
Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.
3F
15. NOT Support
• The HttpOnly flag will be ignored by
the browser, thus creating a
traditional, script accessible cookie.
– document.cookie
Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.
3F
20. Browser
• is a server-side vulnerability that is often
created when rendering user input as html.
• e.g. expose sensitive information
about users of the web site
Refer: http://msdn.microsoft.com/en-us/library/ms533046.aspx
24. Set-Cookie && Set-Cookie2
• Set-Cookie defined in RFC 2109
• Set-Cookie2 defined in RFC 2965
• one & more key-value
Refer: http://www.ietf.org/rfc/rfc2965.txt
26. Test Tool
• Robert Hansens' HTTPOnly test page
now includes set-cookie and set-
cookie2 checks for
XMLHTTPRequest exposure
Refer: http://ha.ckers.org/httponly.cgi.
27. Test Result
ie6 ie7 ie8 ie9 chrome firefox safari
A not not not not not not not
httpOnly httpOnly httpOnly httpOnly httpOnly httpOnly httpOnly
B not not not not no no no
httpOnly httpOnly httpOnly httpOnly
A - document,cookie
B - xhr api