httpOnly Cookies in Firefox 2.0

Tuesday, October 24. 2006

Tuesday, October 24. 2006



httpOnly cookies are a Microsoft extension to the cookie standard. The idea is that cookies marked as httpOnly cannot be accessed from JavaScript. This was implemented to stop cookie stealing through XSS vulnerabilities. This is unlike many people believe not a way to stop XSS vulnerabilities, but a way to stop one of the possible attacks (cookie stealing) that are possible through XSS.


Unfortunately the mozilla family still refuses to implement httpOnly cookies in Firefox and therefore their newest release: Firefox 2.0 still comes without support for httpOnly cookies. Luckily an annoying bug within the Firefox internals was fixed in Firefox 2.0 which enables an extension to correctly intercept incoming and outgoing cookies. In previous Firefox versions it was not possible to intercept incoming cookies, because the Cookie header was already parsed before the examine response hook was called.


Therefore I sat down during the last hours and wrote my little httpOnly extension. This extension adds transparent httpOnly cookie support to Firefox by using a funny hack.


The idea of the extension is to create a random key in the Firefox preferences on the first startup. It then hooks the hooks for outgoing and incoming HTTP requests. It then parses all incoming cookies (for now only Set-Cookie header) and rewrites cookies marked as httpOnly. Their name gets a 'hO_' prefix and their content gets AES encrypted. The key used for this encryption is based on the key stored in the preferences and the real name of the cookie. This results in Firefox storing an encrypted cookie into it's cookie storage. Of course it is still possible for JavaScript to read this cookie, but because the content is encrypted it is not possible for malicious JavaScript to retrieve the original value. All outgoing cookies on the other hand will be processed by another hook and decrypted if they are 'hO_' prefixed.


With this little hack it is now possible to have httpOnly cookies in Firefox 2.0. You can download this little extension from here. Be warned that this was a hack of only a few hours. Therefore you should only consider it a proof of concept. However I am planning on improving it in the near future.


Update: I just uploaded the extension to addons.mozilla.org.

Posted by Stefan Esser in Security, PHP at 15:52
Comments (21)
Link to this post


Comments
Display comments as (Linear | Threaded)

#1 Chris ()
What about this scenario- a non-httpOnly cookie whose name happens to start with hO_ is sent to the browser.

Okay, it is not encrypted inbound because it is not httpOnly.

But what then happens outbound? Will the outbound hook try to decrypt it just because it's name begins with hO_?

What will that do to the cookie data?
posted on Wednesday, October 25. 2006
#1.1 Stefan Esser wrote (Link) ()
Chris,

the extension is only a proof of concept at the moment. Therefore unlikely scenarios like the above are not handled yet.

In the unlikely case that a cookie startes with hO_ it will not work correctly, unless it is marked as httpOnly. Normal cookie with that name would get registered and trash is sent back to the user. (If not an exception inside the JavaScript occurs...) In that case the Cookie header would get send still encrypted.

In future versions 'h0_' will be a configureable string and there will be a protection against this kind of scenario. (f.e. the Name could also be encrypted and only if the decryption works correctly it is assumed as encrypted)

There are other cases like an already existing cookie with the same name or JavaScript trying to set a h0_ cookie that are also not yet covered. But opensource is release early, release often.

The whole purpose of this extension is to get a high enough download counter to finally convinve the guys at mozilla.org implement this feature into the main browser code...
posted on Wednesday, October 25. 2006
#2 Cristian Rodriguez wrote (Link) ()
great work Stefan ;-) Im running it now and testing it against the upcoming PHP 5.2.0 httponly cookie support..
posted on Wednesday, October 25. 2006
#3 Rickard Andersson wrote (Link) ()
Very nice! I don't know why the Mozilla people refuse to include support for this in Firefox. I posted this to digg.com as I think it needs as much attention as possible:

http://digg.com/security/The_FF2_extension_everyone_should_be_using
posted on Saturday, October 28. 2006
#4 Charles Darke wrote (Link) ()
I was looking to recompile FF to add in the HttpOnly patch released a while back when I found this plug-in.

However, I'm having a few problems with it. The main one being that it seems to find and encrypt the HttpOnly cookies OK, but these are not being returned even in PHP scripts.

Looking at the cookies, I noticed that a double quote mark is added and wonder if this is some sort of bug? For example, the cookie with name:

userid

now becomes:

"hO_userid

On a security issue side, one script I tested logs you out by overwriting the log-in cookies. When I installed the extension, the 'overwriting' created new (encrypted) cookies with the "hO_ name but didn't remove the old cookie. Again, possible due to a bug in the cookie re-naming.
posted on Sunday, October 29. 2006
#4.1 Stefan Esser wrote (Link) ()
Hi Charles,

is is possible for you to give me a site that produces this problem. (With the " mark. I am quite sure that somehow the parsing is broken in that case.

And with deleted cookies. I fear you are right. I think I know the problem. I need to check for string 'deleted' before I encrypt the cookies.
posted on Sunday, October 29. 2006
#4.1.1 Charles Darke wrote (Link) ()
Hi. Here is one site (I'd be grateful if you didn't publish this comment since the site is still under construction!)

http://XXXXXXXX/XXXXXXXX

I put a simple javascript on that site to alert(cookies).
posted on Sunday, October 29. 2006
#4.1.1.1 Stefan Esser wrote (Link) ()
Hi Charles,

i have removed the URL to your demo site from the comment and approved it.

Well when I visit your URL I only get an empty alert box. However the page does not try to set a Cookie. (Atleast It does not send a Set-Cookie header when I look at the HTTP response)
posted on Sunday, October 29. 2006
#5 Charles Darke wrote (Link) ()
Cookie I refer to is a login cookie and it's only set when you register/login ;-)
posted on Sunday, October 29. 2006
#6 ascii wrote (Link) ()
If you want to have httpOnly cookies in any Firefox version you can use this Javascript hack. This is a server side protection.

http://www.ush.it/2006/07/28/httponly-cookies-and-mozilla-firefox/
posted on Wednesday, November 1. 2006
#6.1 Stefan Esser wrote (Link) ()
Ascii,

that server side protection is easily bypassed. And I do not consider anythin a protection that can be bypassed by simply changing the way code is injected.
If you really want a server side protection, you can always encrypt your cookies.

PHP users can simply install Suhosin and get transparent Cookie encryption. This is not only an easy way to get httpOnly Cookies, but also transparent hardening of Sessions against hijacking and fixation.
posted on Wednesday, November 1. 2006
#6.1.1 ascii wrote (Link) ()
Stefan, yes it can be bypassed (as also pointed in the article with or here http://www.ush.it/team/ascii/hack-wisec-httponly_cookie/ with iframe injection) but at last you can trigger an alert when somebody try to acquire the cookie value in the standard way. It's like grep on access log locking for in GET requests but a bit more proactive. I agree with you: Suhosin (and before Hardened-PHP) is a must have patch for your PHP interpreter.
posted on Wednesday, November 1. 2006
#6.1.2 Charles Darke wrote (Link) ()
Agree with you on the javascript 'hacks'. Not sure there is a great way to implement server side cookie protection. Currently, I'm thinking of hashing cookies with IP address but this causes hassle for anybody without a static IP. Hashing also with UA string adds only a trivial amount of protection.

Actually, it might be interesting to have an extension that forces all cookies to be HttpOnly and have a whitelist for exceptions.
posted on Wednesday, November 1. 2006
#7 Nando ()
Hi, can you make the whitelist for exceptions?
posted on Tuesday, December 12. 2006
#8 orlando ()
Stefan,

I was testing your extension on orkut.com (google's friends networking site) and I couldn't log in with your extension activated.

orkut is a site with heavy phishing schemes using javascrip to read users authentication cookies. your extension would be a plus at orkut.
posted on Tuesday, December 12. 2006
#9 Brazilian ()
The extension dont work in www.orkut.com

Orkut have many bugs with cookies.

Please, update the extension for Firefox.

Sorry my ungly (and bad) english.
posted on Thursday, December 14. 2006
#10 shiva ()
thank you for this great extension.
as somebody said, about bug.

"hO_

i just found when i set cookie timeout, it causes.
on session cookie with httponly on PHP5.2.3,
its work well. because the timeout is closing browser(not valid date).

could you check and fix it,please?

i really appriciate your activity about PHP and security
posted on Thursday, July 19. 2007
#11 Armand wrote (Link) ()
Hi,
Newer versions of phpMyAdmin dosent work when this extension is installed.
posted on Monday, August 27. 2007
#11.1 Christefano wrote (Link) ()
I can confirm that phpMyAdmin does not work with the httpOnly extension installed. My tests were with httpOnly 0.5 and phpMyAdmin 2.11.0.
posted on Tuesday, November 6. 2007
#12 Devang wrote (Link) ()
Good extension, but it breaks logging into orkut.com because the javascript on orkut.com can't seem to login without reading google.com cookies. Blogger.com doesn't seem to have the same problem though. Weird.

If you're going to be adding features, allowing certain user-defined sites to read each other's cookies would probably help.
posted on Friday, August 31. 2007
#12.1 Stefan Esser wrote (Link) ()
Devang,

I suggest deinstalling the extension and using a recent version of Firefox.

Firefox meanwhile has support for httpOnly Cookies by default.
At the moment the implementation is not yet 100% secure but it is better to use the built-in functionality than the httpOnly extension.

The httpOnly extension was an experiment and the first FF extension I ever wrote. So the code is not that great and it has some bugs in it. These bugs could also be the cause of your troubles.
posted on Sunday, September 2. 2007

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
 

Submitted comments will be subject to moderation before being displayed.
 
Calendar
Back September '09
Mon Tue Wed Thu Fri Sat Sun
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        
Archives
September 2009
August 2009
July 2009
Recent...
Older...
Categories

All categories
Syndicate This Blog
Protected By

Hardening-Patch for PHP