HTTP-Only cookies - Brought to you by Internet Explorer 6

TL;DR flag all your cookies with HttpOnly

In the last couple of years the attacks against web applications have changed. While Cross site scripting (XSS) has always existed it has quickly become the new SQL injection because virtually every site today allows it users to post content to it.

In theory XSS is easy to protect against - just strip out the five predefined entities in XML. However, in practise it's almost impossible and almost every big site - recently youtube, twitter and linkedin) out there have been a victim of XSS.

While not the only problem with XSS, the main threat they posses against a user is session hijacking. By reading the content a users cookie and sending it back to the hacker, the hacker can impose himself as the user on the compromised website.

The strange thing is

This doesn't have to be that big of an issue! When Internet Explorer 6 SP1 came out back in 2002 (yup - 2002) it included a new flag for cookies. httponly. When a cookie is created with this flag it is only visible to the web server, and not scripts running on the web page. While not an official W3C standard the httponly flag has been adopted by all major browsers.

Not being visible to scripts running on the web page basically solves the problem with session hijacking with XSS - just like that.

This of course doesn't work if you actually need to read your cookies content from your website. But in most cases you don't, and if you are in doubt you certainly don't.

My impression is that way to few people know about this flag, and the Internet would be a better place if all cookies where flagged with it. Now I told you and I hereby urge you to also try get the word out.

How uses it today?

Using httpquery.com I made a quick lookup on the worlds 10 largest sites big sites to see how many actually uses HttpOnly cookies today - here's the result:

1.  Google
2.  Facebook
3.  Youtube
4.  Yahoo
5.  Blogger
6.  Baidu
7.  Wikipedia
8.  Windows Live
9.  Twitter
10. QQ.com - don't know

So it seems that even among the big guys out there only a fraction actually bothers to add HttpOnly to the header.

Too good to be true

However, of course there is a catch. Some people will claim it is useless since it doesn't prevent people from executing javascript on the page but just from accessing the users cookies. This is a problem for two reasons:

1. Even though you don't have direct access to the cookie there are ways you may be able to access it indirectly anyway.
2. The whole reason you want the victims cookie is to be able to impersonate him/her, but since you already have javascript access you have access to the DOM and can in principle do whatever you want.

Both arguments are without doubt true, but non of them are strong enough to discard the use of httponly cookies.

Attack vectors for stealing cookies

Getting the cookie data

The most obvious attack would be to find another way to access the data in the cookie. Currently there are basically three known ways of doing it.

Cross Site Tracing (XST)

The most creative and elegant attack is called Cross Site Tracing (XST). TRACE is a HTTP request which is only used for debugging and if you make TRACE request to a server where TRACE is enabled the server will return all kind of debugging data - including the content of the precious cookie. While very clever XST is not a bulletproof method. Firstly it requires that the server has TRACE enabled. Since TRACE is hardly ever used most system administrators have probably never given it a single thought and left it as the default value. As far as I can see (but I would love to be corrected) Apache seems to be the only major web server where TRACE requests are actually enabled by default. ISS, lighttpd, nginx etc. all have it disabled.

Furthermore! In order to actually perform the TRACE request you need some kind of external component with SOCKET support. Like Java, Flash or ActiveX. If you don't have anything like this on the vulnerable webpage you should be safe from XST.

HTTP Request Smuggling

This attack is a bit more technical, but is only relevant if you use a proxy in front of your webserver. There is a good paper about the attack which explains it far better than I can do.

Grabbing cookie from the DOM

The last general attack is grabbing the cookie data from the DOM. This is possible if, and only if, you have written the content of the cookie somewhere on your site. This is not something you would normally do on purpose but it is still quite dangerous since many webmasters forget to remove all of there development file which prints out debugging information. A good example is phpinfo.php which lives on way to many web server around the world.

If you want to read about these attacks more in depth there is a good post on by Amit Klein on seclists.org

Manipulating the DOM directly

This is kind of a different issue. Since the attacker can execute arbitrary javascript on the page her can also modify the page as he wants, assuming he know the DOM, and httponly cookies doesn't help you here, so why bother at all?

The DOM on public pages on facebook, twitter, etc is public and free for anyone to inspect. This however is only one use case of XSS, the far more dangerous scenario is when the attacker, like when Apache got hacked, use XSS to grab an admins session id from an closed internal system where he otherwise wouldn't have access too. In this case the attacker does not know the DOM of the page he's attacking and has no way of figuring it out on beforehand.

At last

While HttpOnly cookies are not perfect I still think they are a valuable tool in your security box. There are ways of getting around them, but none of them are bulletproof, and now that you know them it should be easy to protect against. I very much disagree with people how claims they only give people a false sense of security because while not perfect HttpOnly cookie really do raise the bar significantly when it comes to exploiting XSS attacks. And best of all you get it for free - unless you really need to read your cookies from javascript there are absolutely no downside at all! So go crazy and enable HttpOnly cookies on all your websites - today!

Feedback

While I believe I understand this issue I always love to get feedback. If you have any comments or corrections please don't hesitate to contact me. I will keep this article up to date in the future as I learn more or simple get time and feel like expanding this article.