For your browser only

Cross-site scripting attacks to steal authentication cookies is one of the biggest security problems plaguing the web today. Jeff Atwood argues that a lot more protection could be offered by the cheap and simple means of setting all cookies to HTTPOnly:

HttpOnly cookies can in fact be remarkably effective. Here’s what we know:

  • HttpOnly restricts all access to document.cookie in IE7, Firefox 3, and Opera 9.5 (unsure about Safari)
  • HttpOnly removes cookie information from the response headers in XMLHttpObject.getAllResponseHeaders() in IE7. It should do the same thing in Firefox, but it doesn’t, because there’s a bug.
  • XMLHttpObjects may only be submitted to the domain they originated from, so there is no cross-domain posting of the cookies.

The big security hole, as alluded to above, is that Firefox (and presumably Opera) allow access to the headers through XMLHttpObject. So you could make a trivial JavaScript call back to the local server, get the headers out of the string, and then post that back to an external domain. Not as easy as document.cookie, but hardly a feat of software engineering.

Even with those caveats, I believe HttpOnly cookies are a huge security win. If I — er, I mean, if my friend — had implemented HttpOnly cookies, it would have totally protected his users from the above exploit!

Of course this doesn’t completely protect your app from cross-site attacks and it does nothing to protect against good old fashion packet sniffing, but it is still a good suggestion.


3 responses to “For your browser only

  1. Pingback: Writing Secure Code - Links - September 12, 2008 (Virtual Identity Dialogue)

  2. This blog post is not accurate. IE7 DOES NOT remove HttpOnly cookie information from the response headers in XMLHttpObject.getAllResponseHeaders() in IE7.

    I just tested, IE 7.0.6001.18000 still exposes HTTPOnly cookies via set-cookie
    headers in XMLHttpRequest.getAllResponseHeaders()

    From the OWASP WebGoat HTTPOnly lab:
    * FAILURE: Your browser does not prevent an XMLHTTPRequest read for the
    ‘unique2u’ cookie.

  3. That is very disappointing to hear, but thanks for the warning.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s