I. Title: Those things about cookie security settings
Sub-standard: HttpOnly attribute and Secure attribute resolution
Second, Introduction
There are often cases where you see an XSS cross-site scripting attack that steals cookies, and the fix is httponly. Write today to Daoteng under ...
2.1 First pre-required knowledge of cookies. If you know cookies for the first time, please read this article first:
JS in Cookies.zip, Google cookies.
Third,cookie attributes
Cookie content,:
HTTP Response Header:
Set-cookie: <name>=<value>[; <Max-Age>=<age>][; expires=<date>][; Domain=<domain_ name>]=[; Path=<some_path>][; secure][; HttpOnly]
1 2 3 4 5 6 7
Cookie Common Properties
A cookie contains the following information:
1)cookie name , the cookie name must be used only in the URL of the characters, generally with letters and numbers, can not contain special characters, such as special characters want to transcode. If JS operates a cookie, you can use Escape () to transcode the name.
2)cookie value , cookie value the same as the name of the cookie, can be transcoded and encrypted.
3) Expires, expiration date, a GMT format time, after this date, the browser will delete this cookie, when not set this, the cookie disappears after the browser is closed.
4)path, a path, the page below this path can access the cookie, generally set to "/" to indicate that all pages of the same site can access this cookie.
5)domain, subdomain, specifies that cookies can be accessed under this subdomain, for example, to make cookies accessible under a.test.com, but not accessible under b.test.com, domain can be set to a.test.com.
6)Secure, security, specifies whether the cookie is accessible only through the HTTPS protocol, the generic cookie is accessible by using the HTTP protocol, and if Secure (no value) is set A cookie can be accessed by the page only if it is connected using the HTTPS protocol.
7)HttpOnly, if the "HttpOnly" attribute is set in the cookie, the cookie information cannot be read by the program (JS script, applet, etc.).
Note: For the setcookie syntax on W3shool, and not showing 7 HttpOnly, the respective version supports the issue.
Iv. Understanding the HttpOnly attribute
to address the problem of XSS (cross-site scripting attacks), IE6 started to support the HttpOnly attribute of the cookie, which is now supported by most browsers (IE, FF, Chrome, Safari) . When the HttpOnly attribute in the cookie is set to True ( last 7th bit), the front-end script cannot access or manipulate the cookie ( only through background access), so that the XSS is invalidated. A browser supported by the HttpOnly session cookie will only be used to send HTTP (or HTTPS) requests, thereby restricting access from other non-HTTP APIs such as JavaScript. This limitation is mitigated, but the threat of a meeting through cross-site scripting (XSS) cookie theft is not eliminated . This feature applies only to session-managed cookies, not to other browser cookies. -----------------don't understand it here, it's okay, keep looking down .
4.2 HttpOnly Effect Demo
First look at the example demo:
1.php
<?php Setcookie ("abc", "Test", NULL, NULL, NULL, NULL, TRUE); ?> <script>alert (Document.cookie);</script>
We can see what this box is all about.
2.php
<?php Setcookie ("abc", "Test"); ?> <script>alert (Document.cookie);</script>
We can see through the comparison, there are httponly pages, JS is not able to obtain the contents of the cookie, and no HttpOnly page, JS easy access to cookies without pressure.
Easy to understand: Block client script Access cookie
Sina Weibo XSS, have encountered HttpOnly, even if you get the user's cookies through XSS, also can not access the user's page through this cookie, so that the HttpOnly settings are required for each site!
4.3.HttpOnly Setup sample (not tested for feasibility)
Javae
12 |
response.setHeader( "Set-Cookie" , "cookiename=value; Path=/;Domain=domainvalue;Max-Age=seconds;HTTPOnly"); |
private static final String custom_session_id = "Yongboyid";
private static final String http_only = "HttpOnly";
private static final String secure = "SECURE";
Private Static final String Set_cookie = "Set-cookie";
public void Sethttponly (HttpServletResponse hresponse,httpservletrequest hrequest) {
if (Hresponse.containsheader (Set_cookie)) {
Add HttpOnly to a session cookie
String sessionId = Hrequest.getsession (). GetId ();
String Cookievalue = custom_session_id + "=" + SessionId + "; Path= "
+ Hrequest.getcontextpath () + ";" + secure+ ";" + http_only;
Hresponse.setheader (Set_cookie, cookievalue);
}
}
The meaning of the specific parameter is not elaborated again, after the set up through the JS script is not read the cookie, but use the following way can read
1 |
Cookie cookies[]=request.getCookies(); |
C#
123 |
HttpCookie myCookie = new HttpCookie( "myCookie" ); myCookie.HttpOnly = true ; Response.AppendCookie(myCookie); |
vb.net
123 |
Dim myCookie As HttpCookie = new HttpCookie( "myCookie" ) myCookie.HttpOnly = True Response.AppendCookie(myCookie) |
But in. NET 1.1, you need to manually add
1 |
Response.Cookies[cookie].Path += ";HTTPOnly" ; |
Servlet3
Just add the following fragment to Web. xml:
123456 |
<session-config> <cookie-config> true <secure> true </secure> </cookie-config> </session-config>
|
In PHP, there are two ways to set the HttpOnly of a cookie.
1234 |
方法一: header( "Set-Cookie:tmp=100;HttpOnly" ); 方法二: setcookie( "tmp" , 100 , NULL, NULL, NULL, NULL, TRUE); |
PHP4
1 |
header( "Set-Cookie: hidden=value; httpOnly" ); |
PHP5
1 |
setcookie( "abc" , "test" , NULL, NULL, NULL, NULL, TRUE); 最后一个参数为HttpOnly属性 |
Five, deep digging
Q: Why has the threat of httponly-cookie theft not been completely eliminated?
A: Because the HttpOnly function only restricts access from other non-HTTP APIs (such as JavaScript), it is possible for a cookie to be transmitted during the process of being monitored for a post-capture information leak.
I looked up MSDN and it says so:
Setting the HttpOnly property to True does not prevent an attacker who has access to a network channel from accessing the Cookie directly. workstation security is also important because a malicious user might use an open browser window or a computer that contains persistent cookies to gain access to a Web site with the identity of a legitimate user.
Setcookie ("tmp", +, NULL, NULL, NULL, True, true); "https"
6 7
Summary below:
Increased cookie security add httponly and secure properties
(1) HttpOnly property
If the "HttpOnly" attribute is set in the cookie, the cookie information cannot be read by the program (JS script, applet, etc.), which can effectively prevent the XSS attack.
(2) Secure attribute
When set to true, the cookie that is created is transmitted to the server in a secure manner, that is, it can only be passed to the server by the browser on the HTTPS connection for session verification, and if the HTTP connection does not pass that information, it will not be stolen to the specific content of the cookie.
For the above two properties,
The secure property is to prevent information disclosure after the message is captured during the delivery process. Number 6th bit True
The purpose of the HttpOnly property is to prevent the program from acquiring a cookie after the attack. Number 7th bit True
Note that in order to reduce the damage caused by XSS cross-site scripting attacks, it is often necessary to combine http-only cookies with other technologies. If used alone, it does not fully protect against cross-site scripting attacks. security can be tested using specialized tools (FIDDLER2,BURP). Xss_cookie Cross-Site scripting attack examples see my other articles.
VI. Resource Links
1. Ava year security fourth week SESSION COOKIE HttpOnly logo
2, Http://msdn.microsoft.com/zh-cn/library/system.web.httpcookie.httponly.aspx
3, Https://www.owasp.org/index.php/HTTPOnly
4, http://www.w3school.com.cn/php/func_http_setcookie.asp
5. The role of cookies when using security, httponly introductions, and preventing XSS attacks
6, http://www.myexception.cn/mobile/824869.html
Personal humble opinion, the wrong place also looked treatise. Luolired