Following the Wh1t3 Rabbit - Practical Enterprise Security

Enterprise Security organizations often find themselves caught between the ever-changing needs of the agile business, and the ever-present, ever-evolving threats to that business. At the same time – all too often we security professionals get caught up in “shiny object syndrome” which leads us to spend poorly, allocate resources unwisely, and generally de-couple from the organization we’re chartered to defend. Knowing how to defend begins with knowing what you’ll be defending, why it is worth defending, and who you’ll be defending from… and therein lies the trick. This blog takes the issue of enterprise security head-on, challenging outdated thinking and bringing a pragmatic, business-aligned, beyond the tools perspective … so follow the Wh1t3 Rabbit and remember that tools alone don’t solve problems, strategic thinkers are the key.

Rafal (Principal, Strategic Security Services)

Security Frustrations - HttpOnly Directive

Security can be frustrating.

It's even more frustrating when you know you have a possible mitigant for one of the more prevalent attacks (dating back to 2002) such as Cross-Site Scripting (XSS) and it takes years to implement this fix.  Now, arguably, Cross-Site Scripting (XSS) is one of those attacks that has been prevalent in web applications since the idea of a 'session' came into being and someone figured out how to "steal" a session from a browser using script injection and cookies.  Shortly after that started happening, the Microsoft team (or all the groups...) came up with a brilliant idea that would make cookies only accesible by pages within the same domain, but not by scripts from those pages - thus effectively mitigating cross-site scripting.  They then quickly baked this mitigant into Internet Explorer 6, Service Pack 1.

Now, there are nuances and arguments that this won't solve every instance of the attack (mainly because you're still relying on client-side technologies to solve a server-side problem) but every bit helps, and HttpOnly is a terriffic way of doing something simple (or so one would think) to work towards eliminating session & cookie theft.  Not so much.

 It took literally years for Mozilla to fix the issue (originally report on 11/7/2002 and resolved on 3/19/2008) originally logged as Bug ID 178993, but it was even worse for Apple's Safari (known as WebKit, the open-sourced core) which originally reported the bug on 9/20/2006 (yes, 4 years later on Apple's platform) and is still unresolved and currently labeled as "New/Enhancement" as WebKit Bug ID 10957.

Ordinarily this type of activity would be enough to push someone with a vested interest in security over the edge, but we the community have been patiently waiting for all browsers to handle this effectively.  There are other issues too.  Keep in mind that most of the cookies that are "important" for session handling out of the box, for example JSESSIONID , won't support the HttpOnly directive since the server container sets these parameters and it's not exactly configurable anywhere. So let's be clear, Microsoft's technologies support HttpOnly, PHP supports the HttpOnly option but J2EE does not.  Shocking.

I guess it wouldn't be fair to close this article out without mentioning all the HttpOnly shortcomings - such as the fact that most Cross-Site Scripting (XSS) attacks really won't be trying to steal your cookie; but rather do something other that's ugly.  What makes this uglier still is that XMLHttp request objects often bypass the best-laid plans of the HttpOnly options in cookies and are allowed direct-access to cookies.  But barring all the issues - it still makes sense to implement this option, even if it helps maginally.


There's also a great reference on the OWASP web site for HttpOnly, you should read more if you're interested!.

About the Author(s)
Follow Us
Twitter Stream

Community Announcements
HP Blog

Technical Support Services Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation