oss-sec mailing list archives
Re: Re: Question regarding CVE applicability of missing HttpOnly flag
From: Murray McAllister <mmcallis () redhat com>
Date: Thu, 26 Jun 2014 17:30:46 +1000
On 06/26/2014 04:31 PM, Kurt Seifried wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My thought on this: security lines move, e.g. with crypto certain algorithms are no longer sufficient (e.g. DES), they are essentially the same as no crypto when put up against modern hardware. So with web cookies they are often used as authentication tokens (the alternative is in URL which has it's own list of problems, or form values/etc.), I would hazard to say the vast majority of all web based authentication uses cookies (I've never run into widely used certificate based or other options). Also web sites have changed, no longer static sites or "simple" CGI based sites, you pretty much always use a framework, sometimes hosting your framework within a lower level framework. Or you write custom code, whatever. The point is this stuff has XSS flaws all over the place, it's more the rule then the exception. So with widespread XSS in mind, I think it's safe to say that virtually every web site (even sites that care deeply and spend time/money and have bug bounties) have lurking XSS flaws, which if HTTPOnly is not used can result in cookie theft. So in my mind HTTPOnly isn't an option any more, but a requirement, ergo in most situations no HTTPOnly = win a CVE. Evidence: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=XSS
It depends what the cookie is used for. It would be an issue if not used on the session cookie and you could steal that.
But websites set lots of cookies, which if stolen, have no relevance to being able to access the user's session, or do much of anything useful with anyway. I believe a lot of the "this cookie does not have HTTPOnly" issues are non-issues.
Cheers, -- Murray McAllister / Red Hat Product Security
Current thread:
- Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 25)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Murray McAllister (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Henri Salo (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Murray McAllister (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Vladimir '3APA3A' Dubrovin (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Florian Weimer (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Jamie Strandboge (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)