tag:blogger.com,1999:blog-7023583569207199066.post7364534027412614961..comments2023-09-20T04:27:04.523-10:00Comments on Manicode: Opera 9.5 HttpOnly Read PreventionJim Manicohttp://www.blogger.com/profile/14447468633342290543noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-7023583569207199066.post-25017743791218650902009-11-29T01:34:26.825-10:002009-11-29T01:34:26.825-10:00Hello. And Bye.Hello. And Bye.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7023583569207199066.post-46903639628626465142008-08-31T16:57:00.000-10:002008-08-31T16:57:00.000-10:00Surely. And once the site can be XSS'ed, it's game...Surely. And once the site can be XSS'ed, it's game over with all current browsers. That's why I'm trying to encourage different platforms (browsers, namely) to support *complete* HttpOnly protection - http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly which includes read, write and XMLHTTPRequests prevention/protection.<BR/><BR/>And frankly, encoded data in way that completely protects your site from XSS is not that difficult, see: http://manicode.blogspot.com/2008/08/input-validation-not-that-important.htmlJim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.comtag:blogger.com,1999:blog-7023583569207199066.post-66843451276068485942008-08-31T16:52:00.000-10:002008-08-31T16:52:00.000-10:00Yes, I realise; the comment was simply there for c...Yes, I realise; the comment was simply there for completeness, note that the attack I describe relies on the path attribute, and since we're talking about HttpOnly cookies here, we've already assumed that the attacker has xssed the site.kuza55https://www.blogger.com/profile/03932544559060480887noreply@blogger.comtag:blogger.com,1999:blog-7023583569207199066.post-75172889272041219082008-08-31T16:49:00.000-10:002008-08-31T16:49:00.000-10:00Cookie overriding like you are describing can only...Cookie overriding like you are describing can only occur within one domain hierarchy. Domain www.evil.com cannot depoy code to override www.mysecuresite.com's cookies.Jim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.comtag:blogger.com,1999:blog-7023583569207199066.post-89374529661489537652008-08-31T16:12:00.000-10:002008-08-31T16:12:00.000-10:00Cookies can be set with javascript, just do docume...Cookies can be set with javascript, just do document.cookie='name=value';<BR/><BR/>And cookies can be set for other domains, namely any domain above the current domain in the domain tree (i.e. www.google.com can set a cookie for google.com), but the more important issue is that by setting a different path you can effectively over-ride the httpOnly cookie, visit this link: http://kuza55.awardspace.com/httponly.php then refresh it once it's finished loading (I'm too lazy to split it up into two pages) and you'll see that the httpOnly cookie is effectively over-written for the server (the $_COOKIE variable is dumped to the page), even though the original httpOnly cookie also exists, server-side code only sees the most specific cookie for a given cookie name.kuza55https://www.blogger.com/profile/03932544559060480887noreply@blogger.comtag:blogger.com,1999:blog-7023583569207199066.post-59388771844097214682008-08-31T14:40:00.000-10:002008-08-31T14:40:00.000-10:00I am not certain I follow your comment. A cookie i...I am not certain I follow your comment. A cookie is only set server-side; a programmer, via server code, cannot create or modify a cookie in a response for a different domain. <BR/><BR/>So I'm not sure what you mean by "prevent cookies with the same name, but a different path or domain being written" - I would love to hear more about this attack. <BR/><BR/>HttpOnly is just one small crusade to help enhance the security of today's web technologies. Sure it can be circumvented in a variety of ways - but it still lowers the risk against session-stealing XSS attacks.Jim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.comtag:blogger.com,1999:blog-7023583569207199066.post-6462984136170907852008-08-31T14:34:00.000-10:002008-08-31T14:34:00.000-10:00Heretic!Heretic!Jim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.comtag:blogger.com,1999:blog-7023583569207199066.post-49467477467838366092008-08-31T03:40:00.000-10:002008-08-31T03:40:00.000-10:00You seriously need to find a more relevant crusade...You seriously need to find a more relevant crusade; httpOnly is completely useless in 99% of cases.<BR/><BR/>In any case, none of the browsers prevent cookies with the same name, but a different path or domain being written, and so it is almost always possible to over-write the cookie when necessary (just by flooding the browser with a bunch of cookies with all the folders and files in the root directory, you can't change the cookie for the absolute root; but that's pretty irrelevant)kuza55https://www.blogger.com/profile/03932544559060480887noreply@blogger.comtag:blogger.com,1999:blog-7023583569207199066.post-13905015908434224692008-07-06T19:21:00.000-10:002008-07-06T19:21:00.000-10:00Opera HttpOnly support has been around since Opera...Opera HttpOnly support has been around since Opera 9.5 Beta 1 http://www.opera.com/docs/changelogs/windows/950b1/index.dmlJim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.comtag:blogger.com,1999:blog-7023583569207199066.post-25600176573659326732008-06-15T23:06:00.000-10:002008-06-15T23:06:00.000-10:00Opera bug posted requesting complete HttpOnly supp...Opera bug posted requesting complete HttpOnly support - bug-339209@bugs.opera.comJim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.com