Use HTTP Headers to defend against WEB attacks (Part3)

Use HTTP Headers to defend against WEB attacks (Part3)

The previous release of "use HTTP Headers to defend against WEB attacks (Part1)" and "use HTTP Headers to defend against WEB attacks (Part2)" describes how to use HTTP Headers to defend against WEB attacks, for example, use X-Frame-Options and X-XSS-Protection. In this article, we will explore how to use HTTP Headers to protect our Cookies.

Introduction

Cookies are very important in user sessions. Authentication Cookies are equivalent to passwords. Protecting Cookies for identity authentication is a very important topic. In this article, we will demonstrate how to execute certain Cookies in PHP applications to protect our Cookies in some attacks.

Use HTTP Header to protect Cookies

This is a known fact. XSS is a very dangerous vulnerability that allows attackers to steal Cookies from users' browsers. The introduction of HttpOnly can disable External JavaScript scripts to read Cookies. Even if the application itself has an XSS vulnerability, as long as the HTTPOnly flag is enabled, Cookies cannot be read.

Now we can open the simple application that we used in the previous article.

First, observe the header information in the HTTP Response
HTTP/1.1 200 OK
Date: Sun, 12 Apr 2015 15:07:14 GMT
Server: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0
X-Powered-By: PHP/5.6.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0
Pragma: no-cache
Set-Cookie: PHPSESSID = a2ed2bf468dd811c09bf62521b07a023; path =/
Content-Length: 820
Keep-Alive: timeout = 5, max = 100
Connection: Keep-Alive
Content-Type: text/html; charset = UTF-8

As we can see, there is no additional flag in the Set-Cookie header. If the application has an Xss vulnerability, attackers can easily obtain Cookies.

To avoid this situation, we can use the HTTPOnly flag. This allows us to send Cookies only over HTTP, rather than using JavaScript.

Enable HTTPOnly flag

The following sample code snippet demonstrates how to enable HTTPOnly flag in a PHP application:

<?phpini_set("session.cookie_httponly", "True");session_start();session_regenerate_id();if(!isset($_SESSION['admin_loggedin'])){    header('Location: index.php');}if(isset($_GET['search'])){    if(!empty($_GET['search']))    {        $text = $_GET['search'];    }    else    {        $text = "No text Entered";    }}?><!DOCTYPE html>

From the above code snippet, we can see that the following line of code is used to enable HTTPOnly:
Ini_set ("session. cookie_httponly", "True ");

Next let's take a look at the HTTP header information obtained after the HTTPOnly flag is enabled.
HTTP/1.1 200 OK
Date: Sun, 12 Apr 2015 15:03:15 GMT
Server: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0
X-Powered-By: PHP/5.6.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0
Pragma: no-cache
Set-Cookie: PHPSESSID = 36cb82e1d98853f8e250d89be857a0d3; path =/; HttpOnly
Content-Length: 820
Keep-Alive: timeout = 5, max = 100
Connection: Keep-Alive
Content-Type: text/html; charset = UTF-8
In the above information, we can see from the Set-Cookie header that HTTPOnly has been successfully enabled.

Set-Cookie: PHPSESSID = 36cb82e1d98853f8e250d89be857a0d3; path =/; HttpOnly



The effects of HttpOnly flag are as follows. When an attacker mines an Xss vulnerability and tries to use JavaScript scripts to read Cookies, it will not be executed.





We can see that you cannot read Cookies by executing scripts, even if the Xss vulnerability exists!



Secure tag



Another cookie attribute is "Secure". We often see that a website has both HTTP and HTTPS protocols. When an application transmits its Cookies over HTTP, attackers can hijack the information in multiple ways because the plaintext transmission mode is used. The "Secure" attribute is also Set in the Set-Cookie header, which ensures that all Cookies are transmitted only over HTTPS.



The following sample code snippet demonstrates how to enable the Secure flag in a PHP application:


<?phpini_set("session.cookie_secure", "True");session_start();session_regenerate_id();if(!isset($_SESSION['admin_loggedin'])){    header('Location: index.php');}if(isset($_GET['search'])){    if(!empty($_GET['search']))    {        $text = $_GET['search'];    }    else    {        $text = "No text Entered";    }}?><!DOCTYPE html>

From the above code snippet, we can see that the following line of code is used to enable Secure:

Ini_set ("session. cookie_secure", "True ");



Next, let's take a look at the HTTP Headers obtained after the code is executed.

HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 15:14:30 GMT

Server: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0

X-Powered-By: PHP/5.6.2

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0

Pragma: no-cache

Set-Cookie: PHPSESSID = f95afc96ecb7acc6c288d31f941e682f; path =/; secure

Content-Length: 820

Keep-Alive: timeout = 5, max = 100

Connection: Keep-Alive

Content-Type: text/html; charset = UTF-8



As shown in the preceding header, the Secure attribute is successfully enabled. HTTPS support is not enabled on my local host. When I refresh the page, because the Cookies are not supported by the HTTPS protocol, they do not pass the Secure channel, and the session does not pass the HTTP protocol. This is because the session is not sent to the server, because the HTTPS protocol is required.



Close the browser and end the session



This is common for users who do not click the Logout button before closing the browser. When we use a sensitive application, it is necessary to forcibly cancel Cookies when we close the browser.



The following two lines of code can be implemented in PHP.

Session_set_cookie_params (0 );

Session_start ();



Assume that the page we run contains the above attributes. Log on to the application and close the browser. If we re-open the page, the session will not be active.



To check whether this attribute is enabled successfully, we can use a cookie Editor similar to "EditThisCookie" in chrome.



Log on to the page and enable EditThisCookie Extension




 
For example, check the Session option to ensure that our Session will not remain active after the browser is closed.



We can also set it in Chrome's developer tools.





Other attributes of Cookies



Domain: This attribute controls which Cookies can access the Domain



Path: Specifies the Path in which Cookies can access the domain.



Expiration: This attribute specifies that Cookies will no longer be used after Expiration.



You only need three lines of code to add these three attributes to the PHP application:


ini_set("session.cookie_secure", "True"); //secureini_set("session.cookie_httponly", "True"); //httponlysession_set_cookie_params(3, '/', '.localhost'); //This cookie is valid for 3 seconds (max age)// “/” ensures that this cookie is valid on all //paths of this domain// since the domain is prefixed with dot, this //cookie is accessible from all the subdomains. session_start();

Reload the page and check the response header.

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 03:04:11 GMT

Server: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0

X-Powered-By: PHP/5.6.2

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0

Pragma: no-cache

Set-Cookie: PHPSESSID = f4d99777d9810bfedb6869acd556bc66; expires = Thu, 30-Apr-2015 03:04:14 GMT; Max-Age = 3; path =/; domain =. localhost; secure; HttpOnly

X-XSS-Protection: 1

Content-Security-Policy: script-src 'self'

Content-Length: 820

Keep-Alive: timeout = 5, max = 100

Connection: Keep-Alive

Content-Type: text/html; charset = UTF-8



In this article, we learned how to use the HTTP header to protect our Cookies. Although these headers can help us improve the security of WEB applications, we cannot rely entirely on these headers to protect our WEB security. We should consider adding additional security layers.