Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Similar a Http only cookie
Similar a Http only cookie (20)
Último
Último (20)
Http only cookie
- 1. HttpOnly Cookie Something You Don’t Know About HTTP RDSS Team 2012-04
- 2. Author 兰七 yuxia0025@gmail.com
- 3. About RDSS Research on Domain Specific Solution We focus on existed specification, solution, production etc. We put our research into practice.
- 4. Contents • Cookie Definition • HttpOnly Cookie • Browsers Supporting • Cross-site Scripting • XMLHTTPRequest • Finally
- 6. • A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a piece of data stored by a website within a browser, and then subsequently sent back to the same website by the browser Refer: http://en.wikipedia.org/wiki/Http_cookie#HttpOnly_cookie 6
- 8. Definition • HttpOnly is an additional flag included in a Set-Cookie HTTP response header.an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests. Refer: http://en.wikipedia.org/wiki/Http_cookie#HttpOnly_cookie
- 9. Born • HttpOnly cookies were first implemented in 2002 by Microsoft Internet Explorer developers for Internet Explorer 6 SP1 Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 9 3F
- 10. Feather • restricting access from other non- HTTP APIs (such as JavaScript). • restriction mitigates but does not eliminate the threat of session cookie theft via cross-site scripting (XSS). Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 10 3F
- 11. Syntax • Set-Cookie: USER(key)=123(value); expires=Wednesday, 09-Nov-99 23:12:40 GMT; HttpOnly Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 11 3F
- 12. Set httpOnly Using PHP • Permanently. session.cookie_httponly = True (in php.iniPHP) • Setcookie("testcookie", $value, time()+3600, "/", "www.xx.com", 0 , 1); Refer: http://www.php.net/manual/en/function.setcookie.php 12
- 14. Support • the cookie cannot be accessed through client side script, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party. Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 3F
- 15. NOT Support • The HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. – document.cookie Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 3F
- 16. Browsers Supporting HttpOnly Cookie ie6 ie7 ie8 ie9 chrome firefox safari prevent write yes yes yes yes yes yes yes prevent read yes yes yes yes yes yes Yes Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 3F
- 20. Browser • is a server-side vulnerability that is often created when rendering user input as html. • e.g. expose sensitive information about users of the web site Refer: http://msdn.microsoft.com/en-us/library/ms533046.aspx
- 22. XMLHTTPRequest
- 23. • getResponseHeader • getAllResponseHeaders Refer: http://ha.ckers.org/blog/20070719/firefox-implements-httponly-and- is-vulnerable-to-xmlhttprequest/
- 24. Set-Cookie && Set-Cookie2 • Set-Cookie defined in RFC 2109 • Set-Cookie2 defined in RFC 2965 • one & more key-value Refer: http://www.ietf.org/rfc/rfc2965.txt
- 25. Fixed Browsers • FireFox 3.0.0.6 • IE • Safari5 && Chrome12 • FireFox ban all cookie
- 26. Test Tool • Robert Hansens' HTTPOnly test page now includes set-cookie and set- cookie2 checks for XMLHTTPRequest exposure Refer: http://ha.ckers.org/httponly.cgi.
- 27. Test Result ie6 ie7 ie8 ie9 chrome firefox safari A not not not not not not not httpOnly httpOnly httpOnly httpOnly httpOnly httpOnly httpOnly B not not not not no no no httpOnly httpOnly httpOnly httpOnly A - document,cookie B - xhr api
- 28. Finally
- 29. HttpOnly Cookie • Pros • Cons