Skip to content

Fix/update the content of HttpOnly Page #1038

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix/update the content of HttpOnly Page #1038

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
95 changes: 50 additions & 45 deletions pages/HttpOnly.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ header. Using the HttpOnly flag when generating a cookie helps mitigate
the risk of client side script accessing the protected cookie (if the
browser supports it).

- The example below shows the syntax used within the **HTTP response
* The example below shows the syntax used within the **HTTP response
header**:

```
Expand Down Expand Up @@ -67,43 +67,48 @@ the browser *returns an empty string* as the result. This causes the
attack to fail by preventing the malicious (usually XSS) code from
sending the data to an attacker's website.

##### Using Java to Set HttpOnly
### Using Jakarta EE or Java EE to Set HttpOnly

Since Java Enterprise Edition 6 (JEE 6), which adopted Java Servlet 3.0
technology, it's programmatically easy to set the HttpOnly flag on a
cookie.
for more information , plwase check [Java EE to Jakarta EE Transition](https://jakarta.ee/about/faq/#what-is-the-java-ee-to-jakarta-ee-transition).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please


In fact `setHttpOnly` and `isHttpOnly` methods are available in the
`Cookie` interface
[JEE 6](http://java.sun.com/javaee/6/docs/api/javax/servlet/http/Cookie.html#setHttpOnly%28boolean%29),
[JEE 7](https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html#setHttpOnly-boolean-)
and also for session cookies (JSESSIONID)
[JEE 6](http://java.sun.com/javaee/6/docs/api/javax/servlet/SessionCookieConfig.html#setHttpOnly%28boolean%29),
[JEE 7](https://docs.oracle.com/javaee/7/api/javax/servlet/SessionCookieConfig.html#setHttpOnly-boolean-)
`cookie.setHttpOnly(true);`
Since **Jakarta EE 9**, which adopted **Jakarta Servlet 5.0** technology, it's programmatically easy to set the `HttpOnly` flag on a cookie.

Moreover, since JEE 6 it's also declaratively easy setting `HttpOnly`
flag in a session cookie by applying the following configuration in the
deployment descriptor `WEB-INF/web.xml`:
In fact, the `setHttpOnly` and `isHttpOnly` methods are available in the [`jakarta.servlet.http.Cookie`](https://jakarta.ee/specifications/servlet/5.0/apidocs/jakarta/servlet/http/Cookie.html) interface, as well as for session cookies (`JSESSIONID`) using [`jakarta.servlet.SessionCookieConfig`](https://jakarta.ee/specifications/servlet/5.0/apidocs/jakarta/servlet/SessionCookieConfig.html):

```java
Cookie cookie = new Cookie("sessionId", "abc123");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't seem like a practical example for a security community

cookie.setHttpOnly(true); // Mark the cookie as HttpOnly
response.addCookie(cookie);
```
Moreover, since Jakarta EE 9, it's also declaratively easy to set the `HttpOnly` flag for session cookies by applying the following configuration in the deployment descriptor `WEB-INF/web.xml`:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example seems the same as the v6 example, so saying since v9 is misleading


```xml
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee
https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd"
version="6.0">
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
</web-app>
```
For environments using **Java EE 8**, which support **Servlet 4.0**, you can easily set the `HttpOnly` attribute :

For Java Enterprise Edition versions *prior* to JEE 6 a common
**workaround** is to overwrite the `SET-COOKIE` HTTP response header
with a session cookie value that explicitly appends the `HttpOnly` flag:
The`HttpOnly` flag can be set using the `jakarta.servlet.http.Cookie` (or `javax.servlet.http.Cookie` in Java EE 8) API:

```java
String sessionid = request.getSession().getId();
// be careful overwriting: JSESSIONID may have been set with other flags
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

import jakarta.servlet.http.Cookie;
Cookie cookie = new Cookie("sessionId", "abc123");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't seem like a practical example for a security community

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additionally the code seems exactly the same as above so why bother?? Why not make the other "since 8" and skip the 9 example?

cookie.setHttpOnly(true); // Set the HttpOnly flag
response.addCookie(cookie);

```


In this context, overwriting, despite appropriate for the `HttpOnly`
flag, is discouraged because the JSESSIONID may have been set with other
flags. A better workaround is taking care of the previously set flags or
Expand Down Expand Up @@ -139,7 +144,7 @@ Some web application servers, that implement JEE 5, and servlet
containers that implement Java Servlet 2.5 (part of JEE 5), also allow
creating HttpOnly session cookies:

- **Tomcat 6** In `context.xml` set the `context` tag's attribute `useHttpOnly`
* **Tomcat 6** In `context.xml` set the `context` tag's attribute `useHttpOnly`
[4](http://tomcat.apache.org/tomcat-6.0-doc/config/context.html#Common_Attributes)
as follow:

Expand All @@ -148,7 +153,7 @@ as follow:
<Context path="/myWebApplicationPath" useHttpOnly="true">
```

- **JBoss 5.0.1** and **JBOSS EAP 5.0.1** In
* **JBoss 5.0.1** and **JBOSS EAP 5.0.1** In
`server <myJBossServerInstance> \deploy\jbossweb.sar\context.xml`
set the `SessionCookie` tag
[5](https://community.jboss.org/message/598558#598558) as follow:
Expand All @@ -158,21 +163,21 @@ set the `SessionCookie` tag
<SessionCookie secure="true" httpOnly="true" />
```

- **IBM Websphere** offer HTTPOnly for session cookies as a [configuration option](http://pic.dhe.ibm.com/infocenter/tivihelp/v33r1/topic/com.ibm.mam.inswas.doc/install/t_configuringthehttponlyattribute.html)
* **IBM Websphere** offer HTTPOnly for session cookies as a [configuration option](http://pic.dhe.ibm.com/infocenter/tivihelp/v33r1/topic/com.ibm.mam.inswas.doc/install/t_configuringthehttponlyattribute.html)

##### Using .NET to Set HttpOnly

- By *default*, **.NET 2.0** sets the HttpOnly attribute for
* By *default*, **.NET 2.0** sets the HttpOnly attribute for
1. Session ID
2. Forms Authentication cookie

In .NET 2.0, HttpOnly can also be set via the HttpCookie object for all custom application cookies

- Via **web.config** in the system.web/httpCookies element
* Via **web.config** in the system.web/httpCookies element

`<httpCookies httpOnlyCookies="true" …> `

- Or **programmatically**
* Or **programmatically**

C# Code:

Expand All @@ -190,7 +195,7 @@ myCookie.HttpOnly = True
Response.AppendCookie(myCookie)
```

- However, in **.NET 1.1**, you would have to do this *manually*,
* However, in **.NET 1.1**, you would have to do this *manually*,
e.g.,

`Response.Cookies[cookie].Path += ";HttpOnly";`
Expand Down Expand Up @@ -238,9 +243,9 @@ bool setcookie ( string $name [, string $value [, int $expire= 0 [, string $
If code changes are infeasible, web application firewalls can be used to
add HttpOnly to session cookies:

- Mod_security - using SecRule and Header
* Mod_security - using SecRule and Header
directives[8](http://blog.modsecurity.org/2008/12/fixing-both-missing-httponly-and-secure-cookie-flags.html)
- ESAPI
* ESAPI
WAF[9](http://code.google.com/p/owasp-esapi-java/downloads/list)
using *add-http-only-flag*
directive[10](http://www.slideshare.net/llamakong/owasp-esapi-waf-appsec-dc-2009)
Expand Down Expand Up @@ -342,22 +347,22 @@ flag.

2) After turning HttpOnly off, select the **“Read Cookie”** button.

- An alert dialog box will display on the screen notifying you that
* An alert dialog box will display on the screen notifying you that
*since HttpOnly was not enabled*, the **‘unique2u’ cookie** was
successfully read as shown below in **figure 3**.

![Fig3-Read_HTTPOnly_Off.PNG](../assets/images/Fig3-Read_HTTPOnly_Off.PNG)

3) With HttpOnly remaining disabled, select the **“Write Cookie”** button.

- An alert dialog box will display on the screen notifying you that
* An alert dialog box will display on the screen notifying you that
*since HttpOnly was not enabled*, the **‘unique2u’ cookie** was
successfully modified on the client side as shown below in **figure
4**.

![Fig4-Write_HTTPOnly_Off.PNG](../assets/images/Fig4-Write_HTTPOnly_Off.PNG)

- As you have seen thus far, **browsing without HttpOnly** on is a
* As you have seen thus far, **browsing without HttpOnly** on is a
potential ***threat***. Next, we will **enable HttpOnly** to
demonstrate how this flag protects the cookie.

Expand All @@ -369,31 +374,31 @@ demonstrate how this flag protects the cookie.

5) After enabling HttpOnly, select the **"Read Cookie"** button.

- If the browser enforces the HttpOnly flag properly, an alert dialog
* If the browser enforces the HttpOnly flag properly, an alert dialog
box will display only the session ID rather than the contents of the
**‘unique2u’ cookie** as shown below in **figure 6**.

![Fig6-Cookie_Read_Protection.PNG](../assets/images/Fig6-Cookie_Read_Protection.PNG)

- However, if the browser does not enforce the HttpOnly flag properly,
* However, if the browser does not enforce the HttpOnly flag properly,
an alert dialog box will display both the **‘unique2u’ cookie** and
session ID as shown below in **figure 7**.

![Fig7-No_Cookie_Read_Protection.PNG](../assets/images/Fig7-No_Cookie_Read_Protection.PNG)

- Finally, we will test if the browser allows **write access** to the
* Finally, we will test if the browser allows **write access** to the
cookie with HttpOnly enabled.

6) Select the **"Write Cookie"** button.

- If the browser enforces the HttpOnly flag properly, client side
* If the browser enforces the HttpOnly flag properly, client side
modification will be unsuccessful in writing to the **‘unique2u’
cookie** and an alert dialog box will display only containing the
session ID as shown below in **figure 8**.

![Fig6-Cookie_Read_Protection.PNG](../assets/images/Fig6-Cookie_Read_Protection.PNG)

- However, if the browser does not enforce the write protection
* However, if the browser does not enforce the write protection
property of HttpOnly flag for the **‘unique2u’ cookie**, the cookie
will be successfully modified to *HACKED* on the client side as
shown below in **figure 9**.
Expand All @@ -409,4 +414,4 @@ shown below in **figure 9**.
5. MSDN. [Setting the HttpOnly property in .NET](http://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx)
6. [XSS: Gaining access to HttpOnly Cookie in 2012](http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html)
7. [Setting HttpOnly in Java](http://stackoverflow.com/questions/13147113/setting-an-httponly-cookie-with-javax-servlet-2-5)
8. [Misunderstandings on HttpOnly Cookie](https://web.archive.org/web/20130701055119/http://blog.fortify.com:80/blog/2011/11/02/Misunderstandings-on-HttpOnly-Cookie)
8. [Misunderstandings on HttpOnly Cookie](https://web.archive.org/web/20130701055119/http://blog.fortify.com:80/blog/2011/11/02/Misunderstandings-on-HttpOnly-Cookie)