All geek questions in one place

Can this XSS protection work with HttpOnly Cookies?

I did some research on the HttpOnly cookies and the problems that exist with the ability to use the XHR request in conjunction with the TRACE method to get the cookie value that was fetched back from the server.

For a secure web application, I currently have the following setup:

  • A cookie session is sent when you log in with the security and httpOnly settings set.
  • TRACE http method disabled for full domain (return "405 Method not allowed")

To avoid faking a cross site request, I added a random key in a hidden field to the forms. This key must be returned in every POST request in order to accept the request.

In addition, all HTML files are escaped by default, using a white list to select tags and attributes that are allowed, but to illustrate why this is not enough: we previously allowed the use of a style attribute on span (for example, for colored text), which use to transfer javascript to Internet Explorer as follows:

<span style="width: expression(alert('Example'));"> </span>

And then to the final question: can anyone point out any flaws or suggestions for possible flaws in this setting? Or do you use the same or completely different approaches?

Known Issues:

  • Not all browsers support httpOnly.
  • Filtering css JS expressions is not enough, @import (external style) may also work
+3
source share
2

( ) , , Httponly cookie document.cookie , XSS (.. t cookie CSRF), , javascript, .., ..

, . .

, , XSS CSRF:

  • html, ?
  • , ?
  • , - , URL, ..?
  • , ?
  • Content-Type ?
  • , HTTP, Cache-Control?
  • , ? , CSS, , ?
  • javascript, ?
  • cookie , ?
  • , HTTP, ?
  • CSRF - , ? , ?
  • ?
  • ?
  • , ..? , ( GIFAR) ?
  • API- , , ? crossdomain?
+4

HttpOnly Cookies - , XSS, xss. .

xsrf secuirty, , XSS, , xss.

. POST .

, XSS JavaScript, , xmlhttprequest. , xmlhttprequest, XSRF, POST. , XSS , . - , , , .

XSS - , <> html-. PHP :

$var=htmlspeicalchars($var,ENT_QUOTES);

, xss. html. , , . , , "onload =".

$var="' onload='alert(document.cookie)'";

html:

print("<img src='http://HOST/img.php?=".$var."'>");

HOWEVER, , <span>, - , ! xss, <script>. , , " " " ".

"XST", HTTP "TRACE", . , - HTTP- "TRACE". "GET" "POST" javascript <img> "GET", HTTP- . , TRACE Apache, , . , Nessus, , Apache TRACE, .

+1

Source: https://habr.com/ru/post/1733069/

More articles:


All Articles