Abstract:
The program does not set the HttpCookie.HttpOnly property to true.
Explanation:
The default value for the httpOnlyCookies attribute is false, meaning that the cookie is accessible through a client-side script.
This is an unnecessary cross-site scripting threat, resulting in stolen cookies. Stolen cookies can contain sensitive information
identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the
attacker in order to masquerade as the user or obtain sensitive information.
Example 1: Vulnerable configuration:
<configuration>
<system.web>
<httpCookies httpOnlyCookies=”false”>
Recommendations:
Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpOnly, that can help mitigate crosssite
scripting threats that result in stolen cookies. Stolen cookies can contain sensitive information identifying the user to the site,
such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the
user or obtain sensitive information. When an HttpOnly cookie is received by a compliant browser, it is inaccessible to clientside
script.
Example 2: Here see the secure configuration. Any cookie marked with this property will be accessible only from server-side
code, and not to any client-side scripting code like JavaScript or VBScript. This shielding of cookies from the client helps to
protect Web-based applications from cross-site scripting attacks. A hacker initiates a cross-site scripting (also called CSS or
XSS) attack by attempting to insert his own script code into the Web page to get around any application security in place. Any
page that accepts input from a user and echoes that input back is potentially vulnerable.
<configuration>
<system.web>
<httpCookies httpOnlyCookies=”true”>
Tips:
1. It is possible to enable HttpOnly programmatically on any individual cookie by setting the HttpOnly property of the
HttpCookie object to true. However, it is easier and more reliable to configure the application to automatically enable HttpOnly
for all cookies. To do this, set the httpOnlyCookies attribute of the httpCookies element to true.
2. Setting the HttpOnly property to true does not prevent an attacker with access to the network channel from accessing the
cookie directly. Consider using Secure Sockets Layer (SSL) to help protect against this. Workstation security is also important,
as a malicious user could use an open browser window or a computer containing persistent cookies to obtain access to a Web site
with a legitimate user’s identity.
