This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "HttpOnly"
(Changed Figure 1 to a thumbnail) |
m (Text and figures 3 & 4 implemented) |
||
Line 49: | Line 49: | ||
The following test was performed on two browsers, '''Internet Explorer 7''' and '''Opera 9.22''', to demonstrate the results when the HTTPOnly flag is enforced properly. As you will see, IE7 properly enforces the HTTPOnly flag, whereas Opera does not properly enforce the HTTPOnly flag. | The following test was performed on two browsers, '''Internet Explorer 7''' and '''Opera 9.22''', to demonstrate the results when the HTTPOnly flag is enforced properly. As you will see, IE7 properly enforces the HTTPOnly flag, whereas Opera does not properly enforce the HTTPOnly flag. | ||
− | + | 1) Select the option to '''turn HTTPOnly off''' as shown below in '''figure 2'''. | |
[[Image:Fig2-Disabling_HTTPOnly.PNG|frame|center|Figure 2 - Disabling HTTPOnly]] | [[Image:Fig2-Disabling_HTTPOnly.PNG|frame|center|Figure 2 - Disabling HTTPOnly]] | ||
− | + | 2) After turning HTTPOnly off, select the '''“Read Cookie”''' button. | |
− | An alert dialog box will display on the screen notifying you that ''since HTTPOnly was not enabled'', the | + | *An alert dialog box will display on the screen notifying you that ''since HTTPOnly was not enabled'', the '''‘unique2u’ cookie''' was successfully read as shown below in '''figure 3'''. |
+ | |||
+ | [[Image:Fig3-Read_HTTPOnly_Off.PNG|frame|center|Figure 3 - Cookie Successfully Read with HTTPOnly Off]] | ||
+ | |||
+ | 3) With HTTPOnly remaining disabled, select the '''“Write Cookie” ''' button. | ||
+ | |||
+ | *An alert dialog box will display on the screen notifying you that since HTTPOnly was not enabled, the '''‘unique2u’ cookie''' was successfully modified on the client side as shown below in '''figure 4'''. | ||
+ | |||
+ | [[Image:Fig4-Write_HTTPOnly_Off.PNG|frame|center|Figure 4 - Cookie Successfully Written with HTTPOnly Off]] |
Revision as of 19:48, 26 July 2007
Overview
Browsers Supporting HTTPOnly
Using WebGoat's HTTPOnly lesson, the following web browsers have been tested for HTTPOnly capabilities. The results are listed below in table 1.
Browser | Version | Supports HTTPOnly? |
---|---|---|
Microsoft Internet Explorer | 6 (SP1) - 7 | Partially* |
Mozilla Firefox | 2.0.0.5 | Partially* |
Netscape Navigator | 9.0b2 | No |
Opera | 9.22 | No |
- An attacker could still access the session identifier cookie using a XmlHttpRequest.
Using WebGoat to Test for HTTPOnly Capabilities
Getting Started
Assuming you have already installed and launched WebGoat, begin by navigating to the ‘HTTPOnly Test’ lesson located within the Cross-Site Scripting (XSS) category. After selecting the ‘HTTPOnly Test’ link, as shown in figure 1, you are now able to begin testing web browsers that support HTTPOnly.
Lesson Goal
If the HTTPOnly flag is set, then your browser should not allow client-side script to access the cookie. Unfortunately, since the attribute is relatively new, several browsers neglect to handle the new attribute properly.
The purpose of this lesson is to test whether your browser supports the HTTPOnly cookie flag. Note the value of the unique2u cookie. If your browser supports HTTPOnly and you enable it for a cookie, client side code should NOT be able to read OR write to that cookie, but the browser can still send its value to the server. However, some browsers only prevent client side read access, but do not prevent write access.
Testing Web Browsers for HTTPOnly Support
The following test was performed on two browsers, Internet Explorer 7 and Opera 9.22, to demonstrate the results when the HTTPOnly flag is enforced properly. As you will see, IE7 properly enforces the HTTPOnly flag, whereas Opera does not properly enforce the HTTPOnly flag.
1) Select the option to turn HTTPOnly off as shown below in figure 2.
2) After turning HTTPOnly off, select the “Read Cookie” button.
- An alert dialog box will display on the screen notifying you that since HTTPOnly was not enabled, the ‘unique2u’ cookie was successfully read as shown below in figure 3.
3) With HTTPOnly remaining disabled, select the “Write Cookie” button.
- An alert dialog box will display on the screen notifying you that since HTTPOnly was not enabled, the ‘unique2u’ cookie was successfully modified on the client side as shown below in figure 4.