TraceSecurity Information Security Analysts notice trends when performing vulnerability assessments and penetration tests. One of the most common medium-risk vulnerabilities is the “Missing httpOnly Cookie Attribute” vulnerability. Simply put, this vulnerability occurs when an application that generates session cookies is missing the ‘httpOnly’ cookie attribute. But what does that really mean? And how is this a notable risk to an organization’s information security? In this article we will break down the meaning of this vulnerability, the risk associated with it, and the best methods to mitigate it. First, let’s address what the ‘httpOnly’ cookie attribute is and what it does.
The Risk of HttpOnly
According to the Open Worldwide Application Security Project (OWASP), the ’httpOnly’ cookie attribute was first implemented in 2002 for Internet Explorer 6 SP1. It is an additional flag that is included in a Set-Cookie HTTP response header, which is used in web applications to send a cookie from a server to the user agent so that the user agent can send it back to the server later. This is done whenever a user establishes a connection to a web application. When the httpOnly flag is set, the risk of a client-side script accessing the cookie is mitigated. It does this by blocking information from third parties who attempt to access the session cookies that the website generates. If an attacker attempts to access the session cookies that have the attribute set, the browser will return an empty string as the result. This greatly reduces the risk of cross-site scripting. When a HTTP Response Header has the ‘httpOnly’ attribute set, the syntax will look like this:
Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
`[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; HttpOnly]
So what is cross-site scripting? And how is it a threat to an organization? Cross Site Scripting attacks, commonly abbreviated as XSS, are a type of injection attack in which malicious scripts are injected into trusted websites. The attack occurs when an attacker executes the injection and causes the web application to send their malicious code to a different end user. This causes the unsuspecting end user’s browser to execute the malicious script that the attacker created, and this can cause a variety of issues. In the context of this attack, an attacker can use this vulnerability to access an end-user’s session tokens, which is very sensitive information. Once an attacker has an end-user’s session token, they can perform a session hijacking attack. This attack occurs when a web session is exploited by an attacker, granting them unauthorized access to a web server using an end-user’s session. This allows the attacker to access all the resources that the end-user has on the website, which can be everything from VPN connections to banking information.
Now how do we prevent this from happening? According to Senior Security Program Manager Michael Howard at the Secure Windows Initiative group at Microsoft, the majority of XSS attacks target session cookies. A server that sets the HttpOnly flag will greatly mitigate the risk of this attack occurring. There are a variety of ways to set the attribute based on the application that is vulnerable. For Java applications, it is as simple as changing the configuration to include cookie.setHttpOnly(true). But there are a variety of ways to set the HttpOnly cookie for other applications. This article from OWASP shows how to set the cookie for a variety of applications such as Java, Python, PHP, and more. The article also lists the browsers that support HttpOnly. If an end-user is using a web browser that does not support the flag, they will not be protected from the XSS attacks. This is more common for outdated web browsers such as older versions of Internet Explorer and Opera.
Annual Assessments & Testing
TraceSecurity recommends performing penetration tests and vulnerability assessments on your networks regularly to check for vulnerabilities such as these. Some organizations could be vulnerable to vulnerabilities such as this, and they will never know unless they conduct testing or until it is too late. Anyone can be susceptible to these types of attacks, and it is important to perform regular testing to ensure your organization is protected.
By Gavin Debetaz, Information Security Analyst
Gavin has been honing his cybersecurity testing skills with TraceSecurity for over 3 years. Starting as an Associate Information Security Analyst, he focused on performing penetration testing, vulnerability assessments, phishing, and vishing engagements. Once promoted to a full-time Information Security Analyst, Gavin now also performs IT security audits and onsite social engineering tests. He earned a Bachelor of Science in Computer Science from Louisiana State University and currently holds a certification in Security+.