Lesson Plan Title: HttpOnly Test

 

Concept / Topic To Teach:

To help mitigate the cross site scripting threat, Microsoft has introduced a new cookie attribute entitled 'HttpOnly.' If this flag is set, then the browser should not allow client-side script to access the cookie. Since the attribute is relatively new, several browsers neglect to handle the new attribute properly.

 

General Goal(s):

The purpose of this lesson is to test whether your browser supports the HTTPOnly cookie flag. Note the value of the unique2u cookie. If your browser supports HTTPOnly, and you enable it for a cookie, client side code should NOT be able to read OR write to that cookie, but the browser can still send its value to the server. Some browsers only prevent client side read access, but don't prevent write access.

 

Figure 1 Lesson HTTPOnly Test

 

Solution:

 

HTTPOnly is not configured. When you click on "Read Cookie" you will get the following pop-up in JavaScript, displaying the cookies

 

Figure 2 All cookies

 

Select "Yes" to turn HTTPOnly on. Intercept the HTTP Request and HTTP Response in WebScarab.

 

Figure 3 HTTP Request

 

Figure 4 HTTP Response with HTTPOnly cookie

 

 

Click on "Read cookie". You will see the JSESSIONID which is not using HTTPOnly.

Figure 5 Only JSESSIONID

 

Figure 6 HTTPOnly Success

 

Click on “Write cookie” which again only shows the JSESSIONID cookie.

 

Figure 7 JSESSIONID cookie

 

Figure 8 Lesson completed