Different browsers include different security measures when the HTTPOnly flag is set . For example, Opera and Safari do not prohibit JavaScript from writing to cookies. However, reading is always prohibited in the latest version of all major browsers.
But more importantly, why do you want to read an HTTPOnly cookie? If you are a developer, just turn off the flag and make sure you check your xss code . I recommend that you avoid disabling this flag, if possible. HTTPOnly flag and the "safe flag" (which causes cookies to be sent via https) must be set.
If you are an attacker, then you want to hijack a session . But there is an easy way for an HTTPOnly session, despite the HTTPOnly flag. You can still ride in sessions without knowing the session ID. The MySpace Samy worm did just that. He used XHR to read the CSRF token and then perform an authorized task. Thus, an attacker can do almost everything that a registered user can do.
People too strongly believe in the HTTPOnly flag, XSS can still be used. You must establish barriers around sensitive functions. For example, to change the password, you must specify the current password. The ability of an administrator to create a new account must require captcha, which is a CSRF prevention method that cannot be easily circumvented with XHR .
rook Nov 09 '11 at 18:25 2011-11-09 18:25
source share