XSS攻击是否有可能获得HttpOnly cookie?
[英]Is it possible for a XSS attack to obtain HttpOnly cookies?
Reading this blog post about HttpOnly cookies made me start thinking, is it possible for an HttpOnly cookie to be obtained through any form of XSS? Jeff mentions that it "raises the bar considerably" but makes it sound like it doesn't completely protect against XSS.
阅读关于HttpOnly cookies的博客文章让我开始思考,是否有可能通过任何形式的XSS获得HttpOnly cookie?杰夫提到它“大大提高了标准”,但听起来似乎并没有完全抵御XSS。
Aside from the fact that not all browser support this feature properly, how could a hacker obtain a user's cookies if they are HttpOnly?
除了并非所有浏览器都能正确支持此功能外,黑客如何获取用户的cookie(如果他们是HttpOnly)?
I can't think of any way to make an HttpOnly cookie send itself to another site or be read by script, so it seems like this is a safe security feature, but I'm always amazed at how easily some people can work around many security layers.
我想不出任何方法可以让HttpOnly cookie发送到另一个站点或者通过脚本读取,所以看起来这是一个安全的安全功能,但我总是惊讶于一些人可以轻松地解决许多问题安全层。
In the environment I work in, we use IE exclusively so other browsers aren't a concern. I'm looking specifically for other ways that this could become an issue that don't rely on browser specific flaws.
在我工作的环境中,我们专门使用IE,因此其他浏览器不是问题。我正在寻找其他方式,这可能成为一个不依赖于浏览器特定缺陷的问题。
5 个解决方案
#1
21
First, as some others mentioned, XSS can allow other payloads, not just cookie stealing.
首先,正如其他人提到的那样,XSS可以允许其他有效负载,而不仅仅是cookie窃取。
But, is there anyway to steal httpOnly cookies, with XSS? (ignoring the question of httpOnly support?).... The answer is: Yes.
A subset of XSS is known as Cross-Site Tracing (XST) (or go to the original research paper). This attack has the XSS payload send an HTTP TRACE request to the web server (or proxy, forward OR reverse), which will echo back to the client the full request - INCLUDING YOUR COOKIES, httpOnly or not. The XSS payload can then parse the returned info, and retrieve those delicious cookies...
但是,无论如何使用XSS窃取httpOnly cookie? (忽略httpOnly支持的问题?)....答案是:是的。 XSS的一个子集称为跨站点跟踪(XST)(或转到原始研究论文)。此攻击使XSS有效负载向Web服务器(或代理,正向或反向)发送HTTP TRACE请求,该请求将向客户端回送完整请求 - 包括您的COOKIES,httpOnly与否。然后,XSS有效负载可以解析返回的信息,并检索那些美味的cookie ...
Btw, yet another "subset" (kinda) of XSS, involves injecting payload into response headers. Though similar, this isnt exactly XSS, and Header Injection can even lead to HTTP Response Splitting (HRS) - which is much more powerful, allows near complete control of other clients, cache poisoning, and of course access to cookies, if so wished.
顺便说一下,XSS的另一个“子集”(有点)涉及将有效负载注入响应头。虽然类似,但这并不完全是XSS,Header Injection甚至可以导致HTTP响应拆分(HRS) - 它更强大,允许几乎完全控制其他客户端,缓存中毒,当然还有访问cookie,如果愿意的话。
#2
5
If the browser doesn't understand HttpOnly, the attack succeeds. Edit: okay, you are not concerned. That's fine, but I will leave this notice just for reference. It is useful to state it explicitly.
如果浏览器不理解HttpOnly,则攻击成功。编辑:好的,你不担心。那没关系,但我会留下这个通知仅供参考。明确说明它是有用的。
Another way of stealing besides sniffing the network would be direct control of user's computer. Then the cookies can be read from a file. If it's a session cookie, it will be of course removed after browser is closed.
除了嗅探网络之外,窃取的另一种方式是直接控制用户的计算机。然后可以从文件中读取cookie。如果它是会话cookie,它将在浏览器关闭后被删除。
By the way, stealing session cookie is not the only possible "payload" of XSS attack. For example it may make your CSRF protection useless. It may alter contents of your site to deceive the user. And many other malicious things.
顺便说一下,窃取会话cookie不是XSS攻击唯一可能的“有效载荷”。例如,它可能会使您的CSRF保护无效。它可能会改变您网站的内容以欺骗用户。还有很多其他恶意的东西。
So better protect yourself in a good way (escape output), and think about HttpOnly as additional layer of protection.
因此,以更好的方式更好地保护自己(逃避输出),并将HttpOnly视为额外的保护层。
#3
2
Using HttpOnly cookies will prevent XSS attacks from getting those cookies.
使用HttpOnly cookie可以防止XSS攻击获取这些cookie。
Unless:
- your browser does not support HttpOnly
- there is a hitherto unknown vulnerability in the browser which breaks HttpOnly
- the server has been compromised (but then you're probably hosed anyway).
您的浏览器不支持HttpOnly
浏览器中存在一个迄今未知的漏洞,打破了HttpOnly
服务器已经被泄露(但是你可能已经被软化了)。
As another poster has noted: XSS is not the only threat out there, and grabbing cookies is not the only threat from XSS. I'm sure you knew this - I'm just being complete!
正如另一张海报所指出的那样:XSS不是唯一存在的威胁,抓取cookie不是XSS的唯一威胁。我相信你知道这一点 - 我只是完成了!
Good luck!
#4
0
JavaScript can modify the HTML on the page, therefore, httpOnly does not mean you are safe against XSS.
JavaScript可以修改页面上的HTML,因此,httpOnly并不意味着您可以安全地使用XSS。
#5
-1
Packet sniffing can read the cookies transmitted over http. But it may not fall under the XSS.
数据包嗅探可以读取通过http传输的cookie。但它可能不属于XSS。
智能推荐
注意!
本站翻译的文章,版权归属于本站,未经许可禁止转摘,转摘请注明本文地址:http://www.silva-art.net/blog/2008/10/23/41067616eb6a517367c54e29a3f321f0.html。