https://wiki.owasp.org/index.php?action=history&feed=atom&title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_08.6
OWASP ModSecurity Securing WebGoat Section4 Sublesson 08.6 - Revision history
2026-04-11T13:34:16Z
Revision history for this page on the wiki
MediaWiki 1.27.2
https://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_08.6&diff=44366&oldid=prev
Stephen Evans: /* Reviewer comments */
2008-10-22T07:57:45Z
<p><span dir="auto"><span class="autocomment">Reviewer comments</span></span></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 07:57, 22 October 2008</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l22" >Line 22:</td>
<td colspan="2" class="diff-lineno">Line 22:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "!(?:\;? ?httponly;?)" \ "phase:3,t:none,t:lowercase,pass,log,auditlog, \</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "!(?:\;? ?httponly;?)" \</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>"phase:3,t:none,t:lowercase,pass,log,auditlog, \</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>msg:'AppDefect: Missing HttpOnly Cookie Flag.'"</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>msg:'AppDefect: Missing HttpOnly Cookie Flag.'"</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
</table>
Stephen Evans
https://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_08.6&diff=44364&oldid=prev
Stephen Evans: added content
2008-10-22T07:13:13Z
<p>added content</p>
<p><b>New page</b></p><div>8. Cross-Site Scripting (XSS) -> 8.6 HTTPOnly Test<br />
<br />
(This sublesson was not formally solved by the project)<br />
<br />
=== Lesson overview ===<br />
<br />
The WebGoat lesson overview is included with the WebGoat lesson solution.<br />
<br />
=== Lesson solution === <br />
<br />
Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information. <br />
<br />
=== Strategy ===<br />
<br />
This WebGoat lesson is a demonstration of the HttpOnly flag which prevents client side script from reading a cookie value if it is set; "Read Cookie" and "Write Cookie" buttons can be selected to view that particular browser's support of the HttpOnly flag.<br />
<br />
There really is no ModSecurity solution or any other way to illustrate similar functionality within ModSecurity, especially since this takes place in the browser and ModSecurity cannot modify source code in an HTTP response. <br />
<br />
=== Reviewer comments ===<br />
<br />
For this lesson, ModSecurity rules can be implemented to inspect Response Headers and look for Set-Cookie data. When we see it, we can create an Application Defect alert if it is missing the HttpOnly flag:<br />
<br />
<pre><br />
SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "!(?:\;? ?httponly;?)" \ "phase:3,t:none,t:lowercase,pass,log,auditlog, \<br />
msg:'AppDefect: Missing HttpOnly Cookie Flag.'"<br />
</pre></div>
Stephen Evans