1

Topic: Cookie parameter Httponly, does it work outside MSIE?

Just wondering, if you have an idea of that parameter being implemented on other navigators, since it doesn't belong to the original specification, it wasn't beofre. But times change, and it's a nice way to help protect cookies from xss smile

Marc

Re: Cookie parameter Httponly, does it work outside MSIE?

I have no idea what it is. Perhaps you can enlighten me?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

3

Re: Cookie parameter Httponly, does it work outside MSIE?

Well, cookies can be read through javascript (try alert(document.cookie); if you want to see it at work), that's one of the ways cookie hijacking happens, if you can insert some script into a website and have the cookie transferred to somewhere else. MS decided that adding another value after the 'secure' that specified that this cookie can only be read through http communications, they would help mitigate xss vulnerability. Which is true, only that they implemented it AFAIK alone, outside the NS cookie specification.

Since I'm not that fan of using several browsers, and my natural market are fully MS oriented, I've been using it for long (in fact, I modified punBB's cookie to send it that as well wink ), but I couldn't help noticing that some people here use non-standard browsers (namely, at least firefox), so...

I could write a simple page that tested it, but I am a lazy person, if somebody knows, it's easier asking smile

Marc

Re: Cookie parameter Httponly, does it work outside MSIE?

I had no idea there was such a value. It seems like a very simple solution to a big problem.

I can try it in Firefox and Opera if you like. Do you have a test URL?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

5 (edited by MarcB 2004-02-16 17:43)

Re: Cookie parameter Httponly, does it work outside MSIE?

Yeow, sure, took a while to set it up in a way that you could see the difference... smile

Cookie tester

And now don't come down on me cause that server supports asp only.

My JS response is:
Navigator: Microsoft Internet Explorer
Version: 4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Minor version: ;SP1;Q810847;Q813951;Q813489;Q330994;Q818529;...;
Cookies:
NoHTTPOnly=Visible; ASPSESSIONIDGGGGGGGG=Whatever...

If you can see the httponly cookies, you'll get something like:
NoHTTPOnly=Visible; HTTPOnly=Invisible_for_MSIE; ASPSESSIONIDGGGGGGGG=Whatever...

Marc
PS: I added some extra info on the JS. If your MSIE is not 6.01+, it should display both cookies + the session id.
PPS: Thanks for testing this one smile

Re: Cookie parameter Httponly, does it work outside MSIE?

Opera 7.23:

Navigator: Microsoft Internet Explorer Version: 4.0 (compatible; MSIE 6.0; Windows NT 5.1) Minor version: Cookies: ASPSESSIONIDGGGGGGGG=KPDNAGMCDMQSLZIAQKWKESQQPQQQHECE; NoHTTPOnly=Visible; HTTPOnly=Invisible_for_MSIE

Firefox: Nothing :/

"Programming is like sex: one mistake and you have to support it for the rest of your life."

7

Re: Cookie parameter Httponly, does it work outside MSIE?

Whaddayamean Nothing?
Doesn't it support javascript? The code's nothing fancy, mind you...
Well, I can strip it into two parts, let's see...
try again, if you please :-)

Be warned that this trick *can* be bypassed, but it requires elaborate code using at least two different technologies. But, it's still something to look at, I expect future developments on the matter, if other browsers start implementing this correctly smile

Re: Cookie parameter Httponly, does it work outside MSIE?

Ok, first of all. What is supposed to happen exactly?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

9

Re: Cookie parameter Httponly, does it work outside MSIE?

You receive two cookies on the first load of the page. Since The server cannot read if the cookies were accepted until the page is reloaded, that's why there's a reload button. If you reload, then on the lines below, a description of both cookies should appear:
NoHTTPOnly=Visible
HTTPOnly=Invisible_for_MSIE

Then, pressing any of the other buttons, you should see either that the invisible label becomes visible with info similar to that one provided by opera, or that it appears on a popup. I don't have *any* experience with firefox, so I can't tell, although I've DLed it, I'm not that eager to install more soft on this machine, so I'll probably start up the linux box and test it there.

The thing is, if you're using MSIE6.01 or superior, the cookies that include HttpOnly cannot be read from a script within the page, thus making them in theory invulnerable to xss cookie hijacking. I say in theory, cause you could create a java applet that accessed directly the page and stole the whole http headers, but then the site must already be xss vulnerable, as usual. Somebody mentioned a combination of flash, java and a script could in theory allow you to steal the cookie, so this new behavior of the navigator is not a panacea, but it's a first step, which makes it much harder to properly abuse an xss vulnerability. But not impossible. Navigators that don't support the httponly tag, should degrade gracefully and have no further problems (but no special immunity also) whatsoever.

Fiu, whether it works or not, you can't say I didn't write about it wink

Marc

Re: Cookie parameter Httponly, does it work outside MSIE?

Ok, now I understand. I just got lost in all the buttons. One button would have been enough :)

In Firefox, the only thing that is visible is the ASPSESSIONID thingy. NoHTTPOnly and HTTPOnly are not displayed (neither on the page itself or in the alert box). Also, the "Click to see JS available cookies on this page" button doesn't work. Nothing happens when I click it.

In Opera 7.23 all the variables are displayed. That is, it doesn't support HTTPOnly.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Cookie parameter Httponly, does it work outside MSIE?

Here are screenshots of the results:

http://w1.421.telia.com/~u42121130/firefox.png

http://w1.421.telia.com/~u42121130/opera.png

"Programming is like sex: one mistake and you have to support it for the rest of your life."

12

Re: Cookie parameter Httponly, does it work outside MSIE?

Well, I guess that settles it: Firefox doesn't "degrade gracefully", and opera does but doesn't support the standard modification.

So it's still a very MSIE-only like thing sad
Well, it'll have to do wink

Tak!

Marc

Re: Cookie parameter Httponly, does it work outside MSIE?

MarcB wrote:

Tak!

That's danish :)

"Programming is like sex: one mistake and you have to support it for the rest of your life."

14

Re: Cookie parameter Httponly, does it work outside MSIE?

Ehhh ¿sorry?
It sounded like that when I heard it... now I'm not so sure *where* I heard it. I couldn't understand half of what she said anyway... like it would have made a difference wink
The other word I *thought* I knew was 'Hej', now if you tell me that's Norwegian or Icelandic... I'll go buy that dictionary

Re: Cookie parameter Httponly, does it work outside MSIE?

I actually think hej is swedish, danish and norwegian.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

16

Re: Cookie parameter Httponly, does it work outside MSIE?

Those are the words I like!
But you made me look after that one... and man, it's sooooo different... Tack... well, not that bad a choice, I never saw it written, just heard it. And thanks god it didn't have one of those strange as with an o on top... which sound similar but not quite like the german ä...

Oh, well, looky what I found here...
The Swedish for ONION is LÖK  (LOOK)
Imagine you look like an onion.
The Swedish for CAKE is TARTA  (TORTA)
Imagine your daughter eating cake.
The Swedish for MUSHROOM is SVAMP (SVAMP)
Imagine a large mushroom growing in a swamp.
The Swedish for MEAT is KÖTT  (SHUT)
Imagine you shut the door on someone throwing meat at you.
The Swedish for SUGAR is SOCKER  (SOCCER)
Imagine a game of soccer on a field of sugar.
The Swedish for WATER is VATTEN  (VATTA)
Imagine you get fatter with water.
The Swedish for SOUP is SOPPA  (SOPA)
Imagine soup that tastes like soap.

So I guess swedish soup is not that good <lol>

Re: Cookie parameter Httponly, does it work outside MSIE?

Hahaha

"Programming is like sex: one mistake and you have to support it for the rest of your life."

18

Re: Cookie parameter Httponly, does it work outside MSIE?

Rickard wrote:

I actually think hej is swedish, danish and norwegian.

"Hei" is Norwegian wink