Importance of enabling Secure and HTTPOnly flag for cookies

Often automated scan results give lot of false positives, some may be legitimate and some are as per design which can be omitted. Most automated scanners give medium level vulnerabilities when the session identifier cookie does not have HTTPOnly and Secure flag enabled.

What exactly is the problem? What happens if these flags are disabled for a session identifier?

Let me explain as follows:

HTTPOnly:
The Httponly flag is an additional property that is added to cookies which helps to mitigate accessing cookie information through XSS. Which means declaring a cookie to httponly will restrict the client side script from accessing the cookie and return an empty string

Exploitation:

Consider a web application which doesn't have HTTPOnly flag enabled, auth_token is the session identifier of the application,upon executing the <script>alert(document.cookie)</script> in the application the output would be 


Now let us enable the HTTPOnly flag on the session identifier and execute the same script <script>alert(document.cookie)</script>

As We can observe from the above screenshot the auth_token is not present in the document.cookie accessible to the client script.

Secure
The purpose of secure flag on a session identifier is send the cookie in the request only if the connection established between the browser and server is HTTPS, if the connection is HTTP the cookie would not be sent in the client request

Exploitation 

Consider a secure web application which uses HTTPS by default  for which secure flag is not set, for exploiting the this vulnerability an attacker may position himself in the same network the user has logged in and send a html file to the user whose source would be 

<html>
<img src="http://www.twitter.com"></img>
</html>

As we can observe from above the html file sends request to web page but there is something suspicious in this code that is the source of the img tag, it is using http instead of https which means the request would be sent in plain text which can be easily traced using a packet sniffer such as wireshark. Now let us say the auth_token does not have secure flag enabled now user has accessed the above html page after logging in into application, the request would have the auth token cookie sent through plain text but with secure flag enabled the request would not have the auth_token when the connection is made through port 80 the default port for http

 

Comments

Post a Comment

Popular posts from this blog

Exploliting SQL injection flaws using SQLMap

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands SQLMap SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching...
Read more

My encounter with successful social engineering attack

11/8/2018 9:41 AM - I was getting ready to Office when I received a call from one of our relatives, He was telling me about a hacking attempt on his email address due to which he was unable to receive any mail from yesterday, and an email is sent to all his contacts that he is in a life threatening situation in another country and he need money immediately. As a precaution he has changed his password but the issue didn't resolve. He was worried that his company's email and sensitive information is lost. He inquired if I can help him out since I was working in IT, I felt this was a opportunity for me to see hacking attempt first hand, I wanted to spend some time investigating in it, so I've asked him to share his mail details(Which is highly not recommended but at the situation I couldn't help it) and told him I'm heading to office and will have information by evening. This excitement to see what happened got the better off me, so I stayed back at home logging in...
Read more