tzam tzam - 4 days ago 5
Javascript Question

How to read a secure cookie using JavaScript

Is there any way to read a secure cookie with javascript? I tried to do it using document.cookie and as far as I can see here http://securitymusings.com/article/909/secure-cookies-the-httponly-flag I cannot access a secure cookie this way.

Can anyone offer me a workaround?

Answer

Different Browsers enable different security measures when the HTTPOnly flag is set. For instance Opera and Safari do not prevent javascript from writing to the cookie. However, reading is always forbidden on the latest version of all major browsers.

But more importantly why do you want to read an HTTPOnly cookie? If you are a developer, just disable the flag and make sure you test your code for xss. I recommend that you avoid disabling this flag if at all possible. The HTTPOnly flag and "secure flag" (which forces the cookie to be sent over https) should always be set.

If you are an attacker, then you want to hijack a session. But there is an easy way to hijack a session despite the HTTPOnly flag. You can still ride on the session without knowing the session id. The MySpace Sammy worm did just that. It used an XHR to read a CSRF token and then perform an authorized task. There for the attacker could do almost anything that the logged user could do.

People have too much faith in the HTTPOnly flag, XSS can still be exploitable. You should setup barriers around sensitive features. Such as the change password filed should require the current password. An admin's ability to create a new account should require a captcha, which is a CSRF prevention technique that cannot be easily bypassed with an XHR.

Comments