1. Introduction

When a cookie has HttpOnly flag set, then JavaScript cannot read it in case of XSS exploitation. This is actually the reason why HttpOnly flag was introduced. As it can be seen, HttpOnly flag puts some restriction on cookie reading by JavaScript. Does it mean that the attacker is stopped at this point? Reading is prevented, but what about writing? HttpOnly flag was not introduced to prevent writing, so this might be potentially interesting. It turns out that HttpOnly flag can be overwritten by JavaScript in some browsers, and this overwriting possibility can be used by the attacker to launch a session fixation attack, what is the subject of the article.

2. Overwriting a cookie with HttpOnly flag by JavaScript

When JavaScript can overwrite a cookie with HttpOnly flag, then the attacker can launch a session fixation attack via an HttpOnly cookie in case of XSS exploitation (you can read about session fixation attack in one of my previous articles [1]).

As a consequence of a session fixation attack, the attacker can impersonate the victim, as he knows the victim’s session ID. The assumption here is that the session is not regenerated in the application after successful login. One can say at this point, that the flaw is in the application itself, because the application does not regenerate the session after successful login. This is true, but there is no reason to allow JavaScript to overwrite HttpOnly flag in some browsers, and this overwriting possibility can be used to take advantage of no session regeneration in the application after successful login in order to finally launch a session fixation attack.

What about the case when session ID is regenerated after successful login? Can it be used somehow by the attacker? Then the attacker can switch a user to his own account by setting the user’s session to the one that the attacker is currently using. Then the user thinks that he is using his own account, and actually enters some sensitive information to the attacker’s account.

3. Browsers which allow JavaScript to overwrite HttpOnly cookie

I found that the following browsers allow JavaScript to overwrite HttpOnly cookies:

  • Safari
  • Opera Mobile
  • Opera Mini
  • BlackBerry browser
  • Konqueror browser

The problem was reported to the vendors (4 February 2014).

Internet Explorer, Firefox and Opera (standard install) are not vulnerable to the aforementioned attack.

4. Response from vendors

Opera Software confirmed the problem in Opera Mobile and Opera Mini. They decided to fix the issue in Opera Mini (date of fixing has not been determined). Although Opera Mobile was available on Google Play at the time of submission, Opera Software considered it to be legacy and didn’t decide to fix it (they responded that the replacement is Opera for Android, which prevents JavaScript from overwriting HttpOnly cookie).

BlackBerry responded that PlayBook tablet OS (I used this one while testing) has been announced as out of support as of April 2014 and the issue will not be fixed. However, the issue was reported before the OS end of support was announced and they decided to put me on Acknowledgements 2014 list of BlackBerry Security Incident Response Team (due to their policy my name will be put there by the end of April 2014) [2].

The issue was confirmed in Konqueror, but probably it will not be fixed. The conversation about this bug is available in KDE Bugtracking System [3].

The issue was reported to Apple two months ago, and since then I haven’t received any feedback from them.

5. Playing with the issue

Here is the simple piece of code:

<?
setcookie('cookie1',++$_COOKIE['cookie1'],time()+2592000,'/','',0,1);
setcookie('cookie2',++$_COOKIE['cookie2'],time()+2592000,'/','',0,0);
?>

<HTML>

<?
print "Cookie1: ".$_COOKIE['cookie1']."<br>";
print "Cookie2: ".$_COOKIE['cookie2'];
?>

<script>alert(document.cookie);</script>

<script>document.cookie='cookie1=100; expires=Thu, 2 Aug 2014 20:00:00 UTC; path=/';</script>

</HTML>

The procedure is as follows – run it and then see that cookie1 (which has set HttpOnly flag) has been overwritten by JavaScript.

6. Summary

HttpOnly flag was introduced to prevent JavaScript from reading a cookie with HttpOnly flag. It turns out, however, that a cookie with HttpOnly flag can be overwritten by JavaScript in some browsers, what can be used by the attacker to launch session fixation attack. It was presented, which browsers allow JavaScript to overwrite HttpOnly cookie together with response from vendors. Finally, a simple piece of code was demonstrated to play with this issue.

References:

Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

[1] Understanding Session Fixation

http://resources.infosecinstitute.com/understanding-session-fixation/ (access date: 4 April 2014)

[2] Acknowledgements 2014 – BlackBerry Security Incident Response Team

http://ca.blackberry.com/business/topics/security/incident-response-team/collaborations.html
(access date: 4 April 2014)

[3] KDE Bugtracking System – Bypassing HttpOnly cookie in Konqueror

https://bugs.kde.org/show_bug.cgi?id=330751 (access date: 4 April 2014)