XSS Attacks: a. If a site is configured to use HTTPOnly cookies, then Javascript
ID: 3582082 • Letter: X
Question
XSS Attacks:
a. If a site is configured to use HTTPOnly cookies, then Javascript code run on that site cannot access a user's cookie for that site. Thus, inserting document.cookie into a URL will no longer work. Do you think this will stop all XSS attacks? Explain.
b. If you visit http://www.somesite.com/showimg.php and include a GET parameter it will trigger the following PHP code:
<img src="<?php echo str_replace('script',' ', $_GET['imgfile']) ?>" >
Notice script is removed from any input. Is an XSS attack still possible? If no, explain why not. If one is still possible, what malicious URL would lead to an alert box popping up? (You can assume there is an image on the site called logo.png.)
Explanation / Answer
a. Not necessarily, because HTTPOnly works on browsers which support it, and a lot of old browsers do not. It can also be bypassed in certain versions of servers. But once XSS has compromised a session, it can do a lot of client side changes, like falsifying the user interface to phish for client credentials, and thus acquire the beloved credentials using another method. In short, HTTPOnly makes things harder, but is hardly a deterrent for a skilled attacker.
b. An XSS attack is still possible, while script tags are removed, onload tags are not. It is better to use an open source multiple user verified HTML sanitizer than create your own. The following line will produce an alert box by exploiting the unsanitized onload tag of image
http://www.somesite.com/showimg.php?imgfile=logo.png"+onload=alert("Hacked")
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.