Re: Re: Question regarding CVE applicability of missing HttpOnly flag

[Murray McAllister <mmcallis () redhat com>]

On 06/26/2014 04:31 PM, Kurt Seifried wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> My thought on this: security lines move, e.g. with crypto certain
> algorithms are no longer sufficient (e.g. DES), they are essentially
> the same as no crypto when put up against modern hardware.
>
> So with web cookies they are often used as authentication tokens (the
> alternative is in URL which has it's own list of problems, or form
> values/etc.), I would hazard to say the vast majority of all web based
> authentication uses cookies (I've never run into widely used
> certificate based or other options). Also web sites have changed, no
> longer static sites or "simple" CGI based sites, you pretty much
> always use a framework, sometimes hosting your framework within a
> lower level framework. Or you write custom code, whatever. The point
> is this stuff has XSS flaws all over the place, it's more the rule
> then the exception.
>
> So with widespread XSS in mind, I think it's safe to say that
> virtually every web site (even sites that care deeply and spend
> time/money and have bug bounties) have lurking XSS flaws, which if
> HTTPOnly is not used can result in cookie theft. So in my mind
> HTTPOnly isn't an option any more, but a requirement, ergo in most
> situations no HTTPOnly = win a CVE.
>
> Evidence:
>
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=XSS

It depends what the cookie is used for. It would be an issue if not used 
on the session cookie and you could steal that.

But websites set lots of cookies, which if stolen, have no relevance to 
being able to access the user's session, or do much of anything useful 
with anyway. I believe a lot of the "this cookie does not have HTTPOnly" 
issues are non-issues.

Cheers,

--
Murray McAllister / Red Hat Product Security