Logging httponly cookies?

**mandi** · 09-02-2011, 08:03 AM

Logging httponly cookies?

I have been reading some e-books regarding the following topics
httponly cookies,xst attacks,http "trace".i ended up with some doubts so i tought of asking here

1)i am sure all of us know about http-only cookies,

say if a web-site(for ex:worldbank.com) hosted on a web-server is a vulnerable to xss,
also the web-server has http trace enabled
,assume that the target is issuing httponly cookies to their users.
and assume your-self as an attacker,

As far as i have read "httponly cookies" protects the details
of the users from the client side-side scrippting languages from being reading it.

how can i get pass this and automatically log all the "httponly" cookies from the worldbank.com ?

2)it seems all of the modern browsers today does not allowing the users to perform trace request
can you guys name any old web-browser that allows the user to perform trace request so that i can play with it?

**amolnaik4** · 02-23-2012, 01:26 PM

1. how can i get pass this and automatically log all the "httponly" cookies from the worldbank.com ?
-- Well there is no direct way to access "httpOnly" cookies via javascript. That's it's job to prevent access to flaged cookies from javascript. But there are some instances which shown a way to access it. It's related to web server defect or other client-side packages.
Check following links for more information:
Bypass httpOnly in Firefox 8.0.1 and Java 7ux | Seguridad Informática Colombiana
Apache httpOnly Cookie Disclosure

2. it seems all of the modern browsers today does not allowing the users to perform trace request
can you guys name any old web-browser that allows the user to perform trace request so that i can play with it?
-- XST should work on IE6 without any patches or IE5. Not checked now since don't have both of them.

AMol NAik

**fb1h2s** · 02-23-2012, 02:32 PM

IE 6/7

, that would work out

Thread: Logging httponly cookies?

LinkBack

Thread Tools

Search Thread

Display