Cross-site scripting attacks to steal authentication cookies is one of the biggest security problems plaguing the web today. Jeff Atwood argues that a lot more protection could be offered by the cheap and simple means of setting all cookies to HTTPOnly:
HttpOnly cookies can in fact be remarkably effective. Here’s what we know:
- HttpOnly restricts all access to
document.cookie
in IE7, Firefox 3, and Opera 9.5 (unsure about Safari) - HttpOnly removes cookie information from the response headers in
XMLHttpObject.getAllResponseHeaders()
in IE7. It should do the same thing in Firefox, but it doesn’t, because there’s a bug. XMLHttpObjects
may only be submitted to the domain they originated from, so there is no cross-domain posting of the cookies.
The big security hole, as alluded to above, is that Firefox (and presumably Opera) allow access to the headers through XMLHttpObject
. So you could make a trivial JavaScript call back to the local server, get the headers out of the string, and then post that back to an external domain. Not as easy as document.cookie
, but hardly a feat of software engineering.
Even with those caveats, I believe HttpOnly cookies are a huge security win. If I — er, I mean, if my friend — had implemented HttpOnly cookies, it would have totally protected his users from the above exploit!
Of course this doesn’t completely protect your app from cross-site attacks and it does nothing to protect against good old fashion packet sniffing, but it is still a good suggestion.
Pingback: Writing Secure Code - Links - September 12, 2008 (Virtual Identity Dialogue)
This blog post is not accurate. IE7 DOES NOT remove HttpOnly cookie information from the response headers in XMLHttpObject.getAllResponseHeaders() in IE7.
I just tested, IE 7.0.6001.18000 still exposes HTTPOnly cookies via set-cookie
headers in XMLHttpRequest.getAllResponseHeaders()
From the OWASP WebGoat HTTPOnly lab:
Results:
* FAILURE: Your browser does not prevent an XMLHTTPRequest read for the
‘unique2u’ cookie.
That is very disappointing to hear, but thanks for the warning.