Internet Explorer 6.0 SP1 and ASP.NET 2.0 combine forces

When I was writing up the Cross-Site Scripting (XSS) demo for Astrid Hackenberg I found out something nice. (For a primer on XSS, check a previous post). I noticed that it was not possible to steal the cookie using JavaScript. That could mean only one thing: HttpOnly cookies. I did not post anything on this security enhancement, although I promised to in that same post.

The general idea is this: IE6.0SP1 introduces a new header option for a cookie called HttpOnly. When appended at the end of the cookie value, it will restrict the way this cookie can be used. To be precise, you are only able to send the cookie back and forth between the client and the server. You cannot read or manipulate the cookie using JavaScript. This effectively cancels the danger of cookie hijacking/stealing.

The runtime of ASP.NET 2.0 will append the HttpOnly option at the end of authentication cookies:

Set-Cookie: .ASPXAUTH=2A561E003E7562F4653CC1B21DF6595136BD956E36D68981F3EA
FA657307A385F; path=/; HttpOnly

Only IE6.0SP1 understands the HttpOnly option. Meaning you still have to make sure that your site exposes no vulnerabilities for XSS. HttpOnly will not work on older IE browsers or different browsers, nor will it prevent site-defacing through the injected JavaScript.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s