Is there any way to read a secure cookie with javascript? I tried to do it using document.cookie and as far as I can see here http://securitymusings.com/article/909/secure-cookies-the-httponly-flag I cannot access a secure cookie this way.
有没有办法用javascript读取安全cookie?我尝试使用document.cookie来做到这一点,据我所知,http://securitymusings.com/article/909/secure-cookies-the-httponly-flag我无法以这种方式访问安全cookie。
Can anyone offer me a workaround?
任何人都可以给我一个解决方法吗?
2 个解决方案
#1
75
Different Browsers enable different security measures when the HTTPOnly flag is set. For instance Opera and Safari do not prevent javascript from writing to the cookie. However, reading is always forbidden on the latest version of all major browsers.
设置HTTPOnly标志时,不同的浏览器启用不同的安全措施。例如,Opera和Safari不会阻止javascript写入cookie。但是,在所有主流浏览器的最新版本中始终禁止阅读。
But more importantly why do you want to read an HTTPOnly
cookie? If you are a developer, just disable the flag and make sure you test your code for xss. I recommend that you avoid disabling this flag if at all possible. The HTTPOnly
flag and "secure flag" (which forces the cookie to be sent over https) should always be set.
但更重要的是,您为什么要阅读HTTPOnly cookie?如果您是开发人员,只需禁用该标志并确保为xss测试代码。我建议您尽可能避免禁用此标志。应始终设置HTTPOnly标志和“安全标志”(强制cookie通过https发送)。
If you are an attacker, then you want to hijack a session. But there is an easy way to hijack a session despite the HTTPOnly
flag. You can still ride on the session without knowing the session id. The MySpace Samy worm did just that. It used an XHR to read a CSRF token and then perform an authorized task. Therefore, the attacker could do almost anything that the logged user could do.
如果您是攻击者,那么您想要劫持会话。但是,尽管存在HTTPOnly标志,但有一种简单的方法可以劫持会话。您仍然可以在不知道会话ID的情况下骑车。 MySpace Samy蠕虫就是这样做的。它使用XHR读取CSRF令牌,然后执行授权任务。因此,攻击者几乎可以执行已登录用户可以执行的任何操作。
People have too much faith in the HTTPOnly
flag, XSS can still be exploitable. You should setup barriers around sensitive features. Such as the change password filed should require the current password. An admin's ability to create a new account should require a captcha, which is a CSRF prevention technique that cannot be easily bypassed with an XHR.
人们对HTTPOnly标志有太多信心,XSS仍然可以被利用。您应该围绕敏感功能设置障碍。如更改密码字段应该要求当前密码。管理员创建新帐户的能力应该要求使用验证码,这是一种CSRF预防技术,不能轻易绕过XHR。
#2
29
The whole point of HttpOnly cookies is that they can't be accessed by JavaScript.
HttpOnly cookie的重点是它们无法被JavaScript访问。
The only way (except for exploiting browser bugs) for your script to read them is to have a cooperating script on the server that will read the cookie value and echo it back as part of the response content. But if you can and would do that, why use HttpOnly cookies in the first place?
脚本读取它们的唯一方法(除了利用浏览器错误)是在服务器上有一个协作脚本,它将读取cookie值并作为响应内容的一部分回显它。但是,如果你能做到这一点,为什么要首先使用HttpOnly cookies?
#1
75
Different Browsers enable different security measures when the HTTPOnly flag is set. For instance Opera and Safari do not prevent javascript from writing to the cookie. However, reading is always forbidden on the latest version of all major browsers.
设置HTTPOnly标志时,不同的浏览器启用不同的安全措施。例如,Opera和Safari不会阻止javascript写入cookie。但是,在所有主流浏览器的最新版本中始终禁止阅读。
But more importantly why do you want to read an HTTPOnly
cookie? If you are a developer, just disable the flag and make sure you test your code for xss. I recommend that you avoid disabling this flag if at all possible. The HTTPOnly
flag and "secure flag" (which forces the cookie to be sent over https) should always be set.
但更重要的是,您为什么要阅读HTTPOnly cookie?如果您是开发人员,只需禁用该标志并确保为xss测试代码。我建议您尽可能避免禁用此标志。应始终设置HTTPOnly标志和“安全标志”(强制cookie通过https发送)。
If you are an attacker, then you want to hijack a session. But there is an easy way to hijack a session despite the HTTPOnly
flag. You can still ride on the session without knowing the session id. The MySpace Samy worm did just that. It used an XHR to read a CSRF token and then perform an authorized task. Therefore, the attacker could do almost anything that the logged user could do.
如果您是攻击者,那么您想要劫持会话。但是,尽管存在HTTPOnly标志,但有一种简单的方法可以劫持会话。您仍然可以在不知道会话ID的情况下骑车。 MySpace Samy蠕虫就是这样做的。它使用XHR读取CSRF令牌,然后执行授权任务。因此,攻击者几乎可以执行已登录用户可以执行的任何操作。
People have too much faith in the HTTPOnly
flag, XSS can still be exploitable. You should setup barriers around sensitive features. Such as the change password filed should require the current password. An admin's ability to create a new account should require a captcha, which is a CSRF prevention technique that cannot be easily bypassed with an XHR.
人们对HTTPOnly标志有太多信心,XSS仍然可以被利用。您应该围绕敏感功能设置障碍。如更改密码字段应该要求当前密码。管理员创建新帐户的能力应该要求使用验证码,这是一种CSRF预防技术,不能轻易绕过XHR。
#2
29
The whole point of HttpOnly cookies is that they can't be accessed by JavaScript.
HttpOnly cookie的重点是它们无法被JavaScript访问。
The only way (except for exploiting browser bugs) for your script to read them is to have a cooperating script on the server that will read the cookie value and echo it back as part of the response content. But if you can and would do that, why use HttpOnly cookies in the first place?
脚本读取它们的唯一方法(除了利用浏览器错误)是在服务器上有一个协作脚本,它将读取cookie值并作为响应内容的一部分回显它。但是,如果你能做到这一点,为什么要首先使用HttpOnly cookies?