The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

C O M M O N   M Y T H

“We’re safe. Our web application scanner didn’t find any

XSS bugs.”

As you will see in Chapter 19, some web applications scanners do a reasonable

job of finding common flaws, including XSS. However, it should be evident at

this point that many XSS vulnerabilities are subtle to detect, and creating a

working exploit can require extensive probing and experimentation. At the

present time, no automated tools are capable of reliably identifying all of 

these bugs.

HttpOnly Cookies and Cross-Site Tracing

As you have seen, one of the various payloads for attacking XSS vulnerabili-

ties is to capture a victim’s session token by using injected JavaScript to access

the 

document.cookie

property. 

HttpOnly

cookies are a defense mechanism

supported by some browsers and employed by some applications in an

attempt to prevent this attack payload from succeeding.

When an application sets a cookie, it can be flagged as 

HttpOnly

in the 

Set-Cookie

header:

Set-Cookie: SessId=12d1a1f856ef224ab424c2454208ff; HttpOnly;

When a cookie is flagged in this way, supporting browsers will prevent

client-side JavaScript from directly accessing the cookie. Although the browser

will still submit the cookie in the HTTP headers of requests, it will not be

included in the string returned by 

document.cookie

. Hence, using 

HttpOnly

cookies can help to prevent an attacker from using XSS flaws to perform ses-

sion hijacking attacks.

N OT E

HttpOnly

Download 5,76 Mb.

Do'stlaringiz bilan baham: