In association with heise online

24 July 2007, 20:11

New Firefox security functionality is vulnerable

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

From version, open-source web browser Firefox includes security functionality to hinder attempts to copy certain pages via JavaScript cookies for URL spoofing purposes. HttpOnly cookies cannot be read out using JavaScript any more, which makes it, for instance, impossible to use the document.cookie JavaScript method for cross-site scripting attacks.

Originally, only Internet Explorer version 6 SP1 and higher versions have supported the cookie format with this additional attribute (Set-Cookie: VAL=023; expires=Tuesday, 24-Jul-07 23:12:40 GMT; httpOnly). So far, only a few pages have used HttpOnly cookies due to compatibility problems. The following piece of code would be enough to test one’s own server under PHP:

header("Set-Cookie: hidden=value; httpOnly");

When the browser is launched, the alert box remains empty.

Unfortunately, this security function can be bypassed. Although Amit Klein described this flaw in a posting on Bugtraq as early as start of 2003, interest in thesetricks has grown onlyrecently. The XMLHTTPRequest JavaScript method can be used to directly read out the cookies to be transmitted in the HTTP header – without document.cookie, provided that a page has an XSS hole which can be used by the attacker to inject and execute arbitrary code. A demo on this bug can be found on

However, the demonstrated exploit is only possible under unusual conditions. It requires the malicious code to reside in the same trust domain as the attacked server (e.g. as a virtual host). Further the server always sets a cookie in the HTTP response header where it can be read by the client using the req.getAllResponseHeaders method.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit