New Firefox security functionality is vulnerable

From version 2.0.0.5, open-source web browser Firefox includes security functionality to hinder attempts to copy certain pages via JavaScript cookies for URL spoofing purposes. HttpOnly cookies cannot be read out using JavaScript any more, which makes it, for instance, impossible to use the document.cookie JavaScript method for cross-site scripting attacks.

Originally, only Internet Explorer version 6 SP1 and higher versions have supported the cookie format with this additional attribute (Set-Cookie: VAL=023; expires=Tuesday, 24-Jul-07 23:12:40 GMT; httpOnly). So far, only a few pages have used HttpOnly cookies due to compatibility problems. The following piece of code would be enough to test one’s own server under PHP:

<?php
header("Set-Cookie: hidden=value; httpOnly");
?>
<html>
<body>
<script>
alert(document.cookie);
</script>
</body>
</html>

When the browser is launched, the alert box remains empty.

Unfortunately, this security function can be bypassed. Although Amit Klein described this flaw in a posting on Bugtraq as early as start of 2003, interest in thesetricks has grown onlyrecently. The XMLHTTPRequest JavaScript method can be used to directly read out the cookies to be transmitted in the HTTP header – without document.cookie, provided that a page has an XSS hole which can be used by the attacker to inject and execute arbitrary code. A demo on this bug can be found on ha.ckers.org.

However, the demonstrated exploit is only possible under unusual conditions. It requires the malicious code to reside in the same trust domain as the attacked server (e.g. as a virtual host). Further the server always sets a cookie in the HTTP response header where it can be read by the client using the req.getAllResponseHeaders method.

See also:

• XS(T) attack variants which can, in some cases, eliminate the need for TRACE, security advisory by Amit Klein
• Round-up: Ways to bypass HttpOnly (and HTTP Basic auth), security advisory by Amit Klein

(mba)