The document discusses HttpOnly cookies, which are an additional flag included in HTTP responses to help mitigate cross-site scripting (XSS) attacks. HttpOnly cookies can only be accessed by the web server and are not accessible to client-side scripts, providing some protection against XSS attacks that could steal session cookies. Major browsers have supported HttpOnly cookies since the early 2000s, but some vulnerabilities existed until around 2010. The document provides information on how HttpOnly cookies work, their syntax, browser support, and limitations.
Be ef presentation-securitybyte2011-michele_orruMichele Orru
Outline:
What the hell is BeEF? ✴Cutting
Target enumeration and analysis ✴Devouring
Internal net fingerprint Exploiting internal services through the hooked browser Keylogging, browser pwnage
✴Digesting Persistence, tunneling sqlmap/Burp through BeEF proxy XSSrays integration
✴Future development and ideas
WordPress Security Tips By Catch Internet:
http://catchinternet.com
This slide will cover WordPress Hosting Servers, Example of Link Injection Hacks, How to Secure your WordPress site basics and WordPress Security Plugins
Be ef presentation-securitybyte2011-michele_orruMichele Orru
Outline:
What the hell is BeEF? ✴Cutting
Target enumeration and analysis ✴Devouring
Internal net fingerprint Exploiting internal services through the hooked browser Keylogging, browser pwnage
✴Digesting Persistence, tunneling sqlmap/Burp through BeEF proxy XSSrays integration
✴Future development and ideas
WordPress Security Tips By Catch Internet:
http://catchinternet.com
This slide will cover WordPress Hosting Servers, Example of Link Injection Hacks, How to Secure your WordPress site basics and WordPress Security Plugins
Slides of my talk at RuxCon 2013:
For those who do not listen Mayhem and black metal, the talk title
might seem a bit weird, and I can't blame you.
You know the boundaries of the Same Origin Policy, you know SQL
injection and time-delays,
you know BeEF. You also know that when sending cross-domain XHRs you
can still monitor the timing of the response: you might want to infer
on 0 or 1 bits depending if the response was delayed or not.
This means it's possible to exploit every kind of SQL injection,
blind or not blind, through an hooked browser, if you can inject a
time-delay
and monitor the response timing.
You don't need a 0day or a particular SOP bypass to do this,
and it works in every browser.
The potential of being faster than a normal single-host multi-threaded SQLi
dumper will be explored. Two experiments will be shown: WebWorkers as well
as multiple synched hooked browsers, which split the workload
communicating
partial results to a central server.
A pure JavaScript approach will be exclusively presented during this talk,
including live demos. Such approach would work for both internet facing
targets as well as
applications available in the intranet of the hooked browser.
The talk will finish discussing the implications of such an approach
in terms of Incident Response and Forensics,
showing evidence of a very small footprint.
DEMYSTIFYING REST
Kirsten Jones
REST web services are everywhere! It seems like everything you want is available via a web service, but getting started with one of these web services can be overwhelming – and debugging the interactions bewilders some of the smartest developers I know. In this talk, I will talk about HTTP, how it works, and how to watch and understand the traffic between your system and the server. From there I’ll proceed to REST – how REST web services layer on top of HTTP and how you can expect a REST web service to behave. We’ll go over how to monitor and understand requests and responses for these services. Once we’ve covered that, I’ll talk about how OAuth is used for authentication in the framework of a REST application. PHP code samples will be shown for interacting with an OAuth REST web service, and I will cover http monitoring tools for multiple OS’s. When you’re done with this talk you’ll understand enough about REST web services to be able to get started confidently, and debug many of the common issues you may encounter.
This demonstrates a LFI (local file inclusion) security flaw in internationalization feature of CodeIgniter, the famous PHP framework.
This was coined by me, and used to exploit numerous CodeIgniter powered websites. Currently reported and fixed.
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
In this presentation you will learn about how to secure your WordPress website.
In first part I have covered reasons why your WordPress website get hacked/tampered and in second part I have explained various security pre-caution that you can take to make your WordPress website more secure. I have categorized checklist so it will be easy for any one to understand and follow it. Hope it will help you better. Best of luck for your website security.
Search in WordPress - how it works and howto customize itOtto Kekäläinen
WordPress search customization is a topic we at Seravo get asked about on a frequent basis. There are many different ways to customize the search, and customers understandably want to learn the best practices. The search can be customized quite easily with small changes on PHP code level, and by utilizing MariaDB database’s built-in search functionality. You can also choose a more robust way to do this, and build a new ElasticSearch server just for your case.
These slides are from the webinar on January 14th, 2021: https://seravo.com/blog/webinar-search-function-and-how-to-customize-it/
4Developers 2015: Bypassing Same-Origin Policy - Jakub ŻoczekPROIDEA
Jakub Żoczek
Language: Polish
Podczas prelekcji będzie można poznać tajniki jednego z kluczowych mechanizmów, zapewniających bezpieczeństwo w przeglądarkach - czyli Same-Origin Policy. Oprócz podstawowych informacji poznamy różne techniki, które pozwolą na ominięcie SOP i uzyskanie wrażliwych danych z interesujących nas domen.
Slides for web-vulnerabilities talk I had at Evo Summer Python Lab'17 (Internship at EVO.company).
Overview of main types of vulnerabilities in the web applications as well as ways to prevent them. Damn Vulnerable Web Application (http://dvwa.co.uk/) and Damn Vulnerable Python Web Application (https://github.com/anxolerd/dvpwa) were used as demonstration software.
The presentation tells about performing cross domain ajax request. Subject included principles of preflight requests and limitations of cross origin resource sharing (CORS) policy. You will be able to find implementation examples for frontend (JavaScript, jQuery, AngularJS) and for backend (.Net, Ruby on Rails). Browser compatibility is covered in section ‘Limitation in IE 8,9‘ and there shown possible workarounds. And finally there are couple words about Content Security Policy – the latest approach in Web Application Security.
Slides of my talk at RuxCon 2013:
For those who do not listen Mayhem and black metal, the talk title
might seem a bit weird, and I can't blame you.
You know the boundaries of the Same Origin Policy, you know SQL
injection and time-delays,
you know BeEF. You also know that when sending cross-domain XHRs you
can still monitor the timing of the response: you might want to infer
on 0 or 1 bits depending if the response was delayed or not.
This means it's possible to exploit every kind of SQL injection,
blind or not blind, through an hooked browser, if you can inject a
time-delay
and monitor the response timing.
You don't need a 0day or a particular SOP bypass to do this,
and it works in every browser.
The potential of being faster than a normal single-host multi-threaded SQLi
dumper will be explored. Two experiments will be shown: WebWorkers as well
as multiple synched hooked browsers, which split the workload
communicating
partial results to a central server.
A pure JavaScript approach will be exclusively presented during this talk,
including live demos. Such approach would work for both internet facing
targets as well as
applications available in the intranet of the hooked browser.
The talk will finish discussing the implications of such an approach
in terms of Incident Response and Forensics,
showing evidence of a very small footprint.
DEMYSTIFYING REST
Kirsten Jones
REST web services are everywhere! It seems like everything you want is available via a web service, but getting started with one of these web services can be overwhelming – and debugging the interactions bewilders some of the smartest developers I know. In this talk, I will talk about HTTP, how it works, and how to watch and understand the traffic between your system and the server. From there I’ll proceed to REST – how REST web services layer on top of HTTP and how you can expect a REST web service to behave. We’ll go over how to monitor and understand requests and responses for these services. Once we’ve covered that, I’ll talk about how OAuth is used for authentication in the framework of a REST application. PHP code samples will be shown for interacting with an OAuth REST web service, and I will cover http monitoring tools for multiple OS’s. When you’re done with this talk you’ll understand enough about REST web services to be able to get started confidently, and debug many of the common issues you may encounter.
This demonstrates a LFI (local file inclusion) security flaw in internationalization feature of CodeIgniter, the famous PHP framework.
This was coined by me, and used to exploit numerous CodeIgniter powered websites. Currently reported and fixed.
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
In this presentation you will learn about how to secure your WordPress website.
In first part I have covered reasons why your WordPress website get hacked/tampered and in second part I have explained various security pre-caution that you can take to make your WordPress website more secure. I have categorized checklist so it will be easy for any one to understand and follow it. Hope it will help you better. Best of luck for your website security.
Search in WordPress - how it works and howto customize itOtto Kekäläinen
WordPress search customization is a topic we at Seravo get asked about on a frequent basis. There are many different ways to customize the search, and customers understandably want to learn the best practices. The search can be customized quite easily with small changes on PHP code level, and by utilizing MariaDB database’s built-in search functionality. You can also choose a more robust way to do this, and build a new ElasticSearch server just for your case.
These slides are from the webinar on January 14th, 2021: https://seravo.com/blog/webinar-search-function-and-how-to-customize-it/
4Developers 2015: Bypassing Same-Origin Policy - Jakub ŻoczekPROIDEA
Jakub Żoczek
Language: Polish
Podczas prelekcji będzie można poznać tajniki jednego z kluczowych mechanizmów, zapewniających bezpieczeństwo w przeglądarkach - czyli Same-Origin Policy. Oprócz podstawowych informacji poznamy różne techniki, które pozwolą na ominięcie SOP i uzyskanie wrażliwych danych z interesujących nas domen.
Slides for web-vulnerabilities talk I had at Evo Summer Python Lab'17 (Internship at EVO.company).
Overview of main types of vulnerabilities in the web applications as well as ways to prevent them. Damn Vulnerable Web Application (http://dvwa.co.uk/) and Damn Vulnerable Python Web Application (https://github.com/anxolerd/dvpwa) were used as demonstration software.
The presentation tells about performing cross domain ajax request. Subject included principles of preflight requests and limitations of cross origin resource sharing (CORS) policy. You will be able to find implementation examples for frontend (JavaScript, jQuery, AngularJS) and for backend (.Net, Ruby on Rails). Browser compatibility is covered in section ‘Limitation in IE 8,9‘ and there shown possible workarounds. And finally there are couple words about Content Security Policy – the latest approach in Web Application Security.
The inspiration for this program was a 31-minute documentary on character actor Milton Parsons made in 2014. From 1948 to 1963, Milton and Collette Parsons created the Cookie Jar Theatre. The performers were Chatsworth children between the ages of 5 and 12. Performances were held at the American Legion Hall on Devonshire, at the Chatsworth Park Elementary Auditorium, and in private homes. Rehearsals were held at the Parsons’ residence at 10801 Farralone Ave. The photographs that follow were donated by the performers and their families.
Das Cookie Prinzip der Browser ist relative einfach zu begreifen, doch die Umsetzung in APEX kann für den APEX Einsteiger eine Herausforderung sein. In dieser Präsentation wird neben dem Basiskonzept die sinnvolle Benutzung in APEX, die Risiken und Vorteile von Cookies in APEX Webapplikationen besprochen und an einem praktischen Beispiel erläutert.
HTTP cookie hijacking in the wild: security and privacy implicationsPriyanka Aash
The widespread demand for online privacy, also fueled by widely-publicized demonstrations of session hijacking attacks against popular websites (see Firesheep), has spearheaded the increasing deployment of HTTPS. However, many websites still avoid ubiquitous encryption due to performance or compatibility issues. The prevailing approach in these cases is to force critical functionality and sensitive data access over encrypted connections, while allowing more innocuous functionality to be accessed over HTTP. In practice, this approach is prone to flaws that can expose sensitive information or functionality to third parties. In this work, we conduct an in-depth assessment of a diverse set of major websites and explore what functionality and information is exposed to attackers that have hijacked a user's HTTP cookies. We identify a recurring pattern across websites with partially deployed HTTPS; service personalization inadvertently results in the exposure of private information. The separation of functionality across multiple cookies with different scopes and inter-dependencies further complicates matters, as imprecise access control renders restricted account functionality accessible to non-session cookies. Our cookie hijacking study reveals a number of severe flaws; attackers can obtain the user's home and work address and visited websites from Google, Bing and Baidu expose the user's complete search history, and Yahoo allows attackers to extract the contact list and send emails from the user's account. Furthermore, e-commerce vendors such as Amazon and Ebay expose the user's purchase history (partial and full respectively), and almost every website exposes the user's name and email address. Ad networks like Doubleclick can also reveal pages the user has visited. To fully evaluate the practicality and extent of cookie hijacking, we explore multiple aspects of the online ecosystem, including mobile apps, browser security mechanisms, extensions and search bars. To estimate the extent of the threat, we run IRB-approved measurements on a subset of our university's public wireless network for 30 days, and detect over 282K accounts exposing the cookies required for our hijacking attacks. We also explore how users can protect themselves and find that, while mechanisms such as the EFF's HTTPS Everywhere extension can reduce the attack surface, HTTP cookies are still regularly exposed. The privacy implications of these attacks become even more alarming when considering how they can be used to deanonymize Tor users. Our measurements suggest that a significant portion of Tor users may currently be vulnerable to cookie hijacking.
(Source: Black Hat USA 2016, Las Vegas)
Top 10 HTML5 Features for Oracle Cloud DevelopersBrian Huff
Whether you are using Mobile, Social, Java, or Sites in the cloud, HTML5 is probably the easiest way to create and maintain web applications. Most of the Oracle cloud supports HTML5, so it is important to understand what powerful new features are built into this platform.
Same-origin policy is an important security concept of the modern browser languages like JavaScript but becomes an obstacle for developers when building complex client-side apps. Over time there have been lots of ingenious workarounds using JSON-P, IFRAME and proxies. As of January 2013 the well known Cross Origin Resource Sharing (CORS) comes as proposed standard by W3C and has now native support by all major browsers.
Most of us are familiar with HTTP, but when it actually comes to creating cacheable web content, there is still a lot to be learned. In this presentation I will show you how to leverage specific mechanism to achieve a good hit rate without losing touch with some of the challenges of real-life web projects. Keywords: cache control, cache variations, conditional requests, stateful content, HTTP fragments, invalidation. The goals is to empower developers to control the behavior of reverse caching proxies like Varnish, Content Delivery Networks, or even browser cache, using the power of HTTP.
More information about this HTTP caching talk can be found on https://feryn.eu/speaking/leverage-http-to-deliver-cacheable-websites-codemotion-rome-2018/
HTML5 introduces significant changes for today\'s websites: new and updated tags, new functionality, better error handling and improved Document Object Model (DOM). However, the HTML5 new features come with new (application) security vulnerabilities. This presentation reviews the new attack vectors, associated risks and what a needs to be taken into consideration when implementing HTML5.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
6. • A cookie, also known as an HTTP
cookie, web cookie, or browser
cookie, is a piece of data stored by a
website within a browser, and then
subsequently sent back to the same
website by the browser
Refer: http://en.wikipedia.org/wiki/Http_cookie#HttpOnly_cookie
6
8. Definition
• HttpOnly is an additional flag included
in a Set-Cookie HTTP response
header.an HttpOnly session cookie
will be used only when transmitting
HTTP (or HTTPS) requests.
Refer: http://en.wikipedia.org/wiki/Http_cookie#HttpOnly_cookie
9. Born
• HttpOnly cookies were first
implemented in 2002 by Microsoft
Internet Explorer developers for
Internet Explorer 6 SP1
Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.
9
3F
10. Feather
• restricting access from other non-
HTTP APIs (such as JavaScript).
• restriction mitigates but does not
eliminate the threat of session cookie
theft via cross-site scripting (XSS).
Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.
10
3F
14. Support
• the cookie cannot be accessed
through client side script, even if a
cross-site scripting (XSS) flaw exists,
and a user accidentally accesses a
link that exploits this flaw, the browser
(primarily Internet Explorer) will not
reveal the cookie to a third party.
Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.
3F
15. NOT Support
• The HttpOnly flag will be ignored by
the browser, thus creating a
traditional, script accessible cookie.
– document.cookie
Refer:https://www.owasp.org/index.php/HttpOnly#Who_developed_HttpOnly.3F_When.
3F
20. Browser
• is a server-side vulnerability that is often
created when rendering user input as html.
• e.g. expose sensitive information
about users of the web site
Refer: http://msdn.microsoft.com/en-us/library/ms533046.aspx
24. Set-Cookie && Set-Cookie2
• Set-Cookie defined in RFC 2109
• Set-Cookie2 defined in RFC 2965
• one & more key-value
Refer: http://www.ietf.org/rfc/rfc2965.txt
26. Test Tool
• Robert Hansens' HTTPOnly test page
now includes set-cookie and set-
cookie2 checks for
XMLHTTPRequest exposure
Refer: http://ha.ckers.org/httponly.cgi.
27. Test Result
ie6 ie7 ie8 ie9 chrome firefox safari
A not not not not not not not
httpOnly httpOnly httpOnly httpOnly httpOnly httpOnly httpOnly
B not not not not no no no
httpOnly httpOnly httpOnly httpOnly
A - document,cookie
B - xhr api
