Thursday, January 22, 2009

Browser HTTPOnly Support Update

If you update your Windows OS with the the MSXML Core Services patch MS08-069 then IE 8 Beta 2 and IE 7 will prevent HTTPOnly cookies from being read by XMLHTTPRequest headers (set-cookie headers only) within IE. As of this writing, IE 8 Beta 2 and IE 7 are the only browsers that truly stop HTTPOnly set-cookie leakage in XMLHTTPRequest headers. However, IE 8 Beta 2 and IE 7 are not the HTTPOnly-support winners, yet. IE 8 beta 2 and IE 7 with MS08-069 still leaks set-cookie2 HTTPOnly cookies in XMLHTTPRequest headers!

FireFox is on track to fix this obscure vector, completely. The FireFox patch for XMLHTTPRequest HTTPOnly protected is marked RESOLVED FIXED and will go live shortly.

Even Safari/Chrome will also see complete set-cookie/set-cookie2 XMLHTTPRequest exposure protection shortly - the patch is complete as of 12/21/08.

Final really obscure note, the OWASP WEBGOAT HTTPOnly lab is broken and does not show IE 8 Beta 2 and IE 7 with ms08-069 as complete in terms of HTTPOnly protection. However, Robert Hansens' HTTPOnly test page now includes set-cookie and set-cookie2 checks for XMLHTTPRequest exposure and should be used until OWASP fixes http://code.google.com/p/webgoat/issues/detail?id=18 .

And most importantly, I updated the OWASP HTTPOnly page to reflect this information.

No comments: