Cookies with HttpOnly Flag: Problem in Some Browsers
1. Introduction
When a cookie has HttpOnly flag set, then JavaScript cannot read it in case of XSS exploitation. This is actually the reason why HttpOnly flag was introduced. As it can be seen, HttpOnly flag puts some restriction on cookie reading by JavaScript. Does it mean that the attacker is stopped at this point? Reading is prevented, but what about writing? HttpOnly flag was not introduced to prevent writing, so this might be potentially interesting. It turns out that HttpOnly flag can be overwritten by JavaScript in some browsers, and this overwriting possibility can be used by the attacker to launch a session fixation attack, what is the subject of the article.
2. Overwriting a cookie with HttpOnly flag by JavaScript
When JavaScript can overwrite a cookie with HttpOnly flag, then the attacker can launch a session fixation attack via an HttpOnly cookie in case of XSS exploitation (you can read about session fixation attack in one of my previous articles [1]).
As a consequence of a session fixation attack, the attacker can impersonate the victim, as he knows the victim's session ID. The assumption here is that the session is not regenerated in the application after successful login. One can say at this point, that the flaw is in the application itself, because the application does not regenerate the session after successful login. This is true, but there is no reason to allow JavaScript to overwrite HttpOnly flag in some browsers, and this overwriting possibility can be used to take advantage of no session regeneration in the application after successful login in order to finally launch a session fixation attack.
What about the case when session ID is regenerated after successful login? Can it be used somehow by the attacker? Then the attacker can switch a user to his own account by setting the user's session to the one that the attacker is currently using. Then the user thinks that he is using his own account, and actually enters some sensitive information to the attacker's account.
3. Browsers which allow JavaScript to overwrite HttpOnly cookie
I found that the following browsers allow JavaScript to overwrite HttpOnly cookies:
- Safari
- Opera Mobile
- Opera Mini
- BlackBerry browser
-
Konqueror browser
The problem was reported to the vendors (4 February 2014).
Internet Explorer, Firefox and Opera (standard install) are not vulnerable to the aforementioned attack.
4. Response from vendors
Opera Software confirmed the problem in Opera Mobile and Opera Mini. They decided to fix the issue in Opera Mini (date of fixing has not been determined). Although Opera Mobile was available on Google Play at the time of submission, Opera Software considered it to be legacy and didn't decide to fix it (they responded that the replacement is Opera for Android, which prevents JavaScript from overwriting HttpOnly cookie).
BlackBerry responded that PlayBook tablet OS (I used this one while testing) has been announced as out of support as of April 2014 and the issue will not be fixed. However, the issue was reported before the OS end of support was announced and they decided to put me on Acknowledgements 2014 list of BlackBerry Security Incident Response Team (due to their policy my name will be put there by the end of April 2014) [2].
The issue was confirmed in Konqueror, but probably it will not be fixed. The conversation about this bug is available in KDE Bugtracking System [3].
The issue was reported to Apple two months ago, and since then I haven't received any feedback from them.
5. Playing with the issue
Here is the simple piece of code:
[html]
<?
setcookie('cookie1',++$_COOKIE['cookie1'],time()+2592000,'/','',0,1);
setcookie('cookie2',++$_COOKIE['cookie2'],time()+2592000,'/','',0,0);
<HTML>
<?
print "Cookie1: ".$_COOKIE['cookie1']."<br>";
print "Cookie2: ".$_COOKIE['cookie2'];
<script>alert(document.cookie);</script>
<script>document.cookie='cookie1=100; expires=Thu, 2 Aug 2014 20:00:00 UTC; path=/';</script>
</HTML>
[/html]
The procedure is as follows – run it and then see that cookie1 (which has set HttpOnly flag) has been overwritten by JavaScript.
6. Summary
HttpOnly flag was introduced to prevent JavaScript from reading a cookie with HttpOnly flag. It turns out, however, that a cookie with HttpOnly flag can be overwritten by JavaScript in some browsers, what can be used by the attacker to launch session fixation attack. It was presented, which browsers allow JavaScript to overwrite HttpOnly cookie together with response from vendors. Finally, a simple piece of code was demonstrated to play with this issue.
References:
[1] Understanding Session Fixation
https://resources.infosecinstitute.com/understanding-session-fixation/ (access date: 4 April 2014)
[2] Acknowledgements 2014 - BlackBerry Security Incident Response Team
http://ca.blackberry.com/business/topics/security/incident-response-team/collaborations.html
(access date: 4 April 2014)
[3] KDE Bugtracking System – Bypassing HttpOnly cookie in Konqueror
https://bugs.kde.org/show_bug.cgi?id=330751 (access date: 4 April 2014)