正文

httpcookie与cookie安全

猴健居士  猴健居士  2022-08-06  445

关键词：

Web 应用程序使用的 Cookie

个人认为这里设置的cookie与访问cookie的安全性关联大一点，配置节如下

<httpCookies domain="String" 
httpOnlyCookies="true|false" 
requireSSL="true|false" />

httpOnlyCookies：默认是false，作用是是否禁用浏览器脚本访问cookie。在Form认证时会颁发一个认证票写在cookie，最开始我以为这里设置了则可以访问，结果并不是，个人推断是这个配置节的设置和Form节点里的配置无关。

下面来弄个测试一下代码

服务端添加代码

Response.SetCookie(new HttpCookie("testcookie", "test"));

浏览器端添加脚本

$(function myfunction() {

alert(document.cookie);

});

如无意外运行结果

技术分享

接着把httpOnlyCookies设成true

<httpCookies

httpOnlyCookies="true" />

运行结果

技术分享

另外HttpCookie类中有个属性是HttpOnly,把它设成true,结果一样如上图所示，空的，估计在验证票中的cookie也是把HttpOnly设成了true,使得就算在配置中设置了仍然无效

Response.SetCookie(new HttpCookie("testcookie", "test") { HttpOnly=true});

查看源码得知生成验证票的代码中FormsAuthentication.GetAuthCookie方法生成HttpCookie

技术分享

下面一篇摘自MSDN的老外文章说的就是跨站点脚本攻击的，记忆中好像看蒋金楠老师的《ASP.NET MVC 4 框架揭秘》也提到过相关的东西，现在看就更明白他说得是啥了，只不过文章比较旧了，老是在提IE6 SP1升级了啥啥啥。

Mitigating Cross-site Scripting With HTTP-only Cookies

One of the more common security problems plaguing（脆弱的） Web servers is cross-site scripting. Cross-site scripting is a server-side vulnerability（漏洞） that is often created when rendering user input as HTML. Cross-site scripting attacks can expose sensitive information about the users of the Web site. In order to help mitigate the risk of cross-site scripting, a new feature has been introduced in Microsoft Internet Explorer 6. This feature is a new attribute for cookies which prevents them from being accessed through client-side script. A cookie with this attribute is called an HTTP-only cookie. Any information contained in an HTTP-only cookie is less likely to be disclosed to a hacker or a malicious Web site. The following example is a header that sets an HTTP-only cookie.

Set-Cookie: USER=123; expires=Wednesday, 09-Nov-99 23:12:40 GMT; HttpOnly

This topic briefly explains cross-site scripting, the potential risk of a cookie that can be accessed through script, and how this risk has been mitigated by HTTP-only cookies in Internet Explorer 6 Service Pack 1 (SP1).

Cross-site Scripting

Cross-site scripting is a common server-side vulnerability which allows a hacker to trick a user into disclosing sensitive information that is normally reserved for a specific Web site. The various steps of a cross-site scripting attack can best be explained with a simple example.

An Example of Cross-site Scripting

To understand how cross-site scripting is typically exploited, consider the following hypothetical example.

The A. Datum Corporation runs a Web site that allows you to track the latest price of your stock portfolio. To add a friendly touch, after logging in to the A. Datum Web site, you are redirected to www.adatum.com/default.asp?name=Brian and a server-side script generates a welcome page that says "Welcome Back Brian!". The stocks in your portfolio are stored in a database, and the Web site places a cookie on your computer containing a key to that database. The cookie is retrieved anytime you visit the A. Datum Web site.

A hacker realizes that the A. Datum Web site suffers from a cross-site scripting bug and decides to exploit this to gather some information about you that you‘d rather not disclose; the names of the stocks in your portfolio. The hacker sends you an e-mail that claims you‘ve just won a vacation getaway and all you have to do is "click here" to claim your prize. The URL for the hypertext link iswww.adatum.com/default.asp?name=<script>evilScript()</script>. When you click this link, the Web site tries to be friendly by greeting you, but instead displays, "Welcome Back !". What happened to your name? By clicking the link in the e-mail, you‘ve told the A. Datum Web site that your name is <script>evilScript()</script>. The Web server generated HTML with this "name" embedded and sent it to your browser. Your browser correctly interprets this as script, and because client-side script is typical browser functionality, runs the script without prompting you. If this script instructs the browser to send a cookie containing your stock portfolio to the hacker‘s computer, it quickly complies. After all, the instruction came from the A. Datum Web site which owns that cookie.

The following image demonstrates this concept visually by showing the process in five steps. First, the user clicks a link embedded in e-mail from the hacker (step 1). This generates a request to a Web site (step 2) which, because of a cross-site scripting bug, complies with the request and sends malicious script back to the user‘s browser (step 3). The script host executes the malicious code (step 4) and sends the sensitive data to the hacker‘s computer (step 5).

技术分享

There are many variations on this example of cross-site scripting. For more examples and further details see Cross-site Scripting.

Protecting Data with HTTP-only Cookies

To mitigate the risk of information disclosure with a cross-site scripting attack, a new attribute is introduced to cookies for Internet Explorer 6 SP1. This attribute specifies that a cookie is not accessible through script. By using HTTP-only cookies, a Web site eliminates the possibility that sensitive information contained in the cookie can be sent to a hacker‘s computer or Web site with script.

A cookie is set on the client with an HTTP response header. The following example shows the syntax used in this header.

Set-Cookie: <name>=<value>[; <name>=<value>]
[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; HttpOnly]

Note The HttpOnly attribute is not case sensitive.

If the HttpOnly attribute is included in the response header, the cookie is still sent when the user browses to a Web site in the valid domain. The cookie cannot be accessed through script in Internet Explorer 6 SP1, even by the Web site that set the cookie in the first place. This means that even if a cross-site scripting bug exists, and the user is tricked into clicking a link that exploits this bug, Windows Internet Explorer does not send the cookie to a third party. The information is safe.

Note The use of HTTP-only cookies is one of several techniques that, when used together, can mitigate the risk of cross-site scripting. Used alone, it cannot completely eliminate the danger of cross-site scripting.

Browser Support for HTTP-only Cookies

If a Web site sets an HTTP-only cookie on a browser that does not support HTTP-only cookies, the cookie is either ignored or downgraded to a traditional, scriptable cookie. This leaves information vulnerable to attack for users of some browsers.

For a company intranet Web page, administrators could require the use of a browser that recognizes HTTP-only cookies for all users. This ensures that information is not disclosed with a cross-site scripting bug.

For a public Web site where it is important to support multiple browsers, consider using client-side script to determine the browser version for each visitor. The Web site can restrict sensitive information to visitors using browsers that mitigate cross-site scripting attacks for cookies. Visitors with browsers that do not support HTTP-only cookies can be given limited information or functionality along with a request to upgrade their software.

When determining the browser version of Internet Explorer, it is important to keep in mind that the user agent string for Internet Explorer 6 SP1 is identical to the user agent string for Internet Explorer 6. Client-side script must also check the minor version number with theappMinorVersion property of the navigator object to determine whether Internet Explorer 6 SP1 is installed.

来自 <https://msdn.microsoft.com/zh-CN/Library/ms533046.aspx>

httpcookie和session

Cookie交互过程如果步骤5携带的是过期的cookie或者是错误的cookie，那么将认证失败，返回至要求身份认证页面 Cookie属性Domain：表示当前cookie所属于哪个域或子域下面Path：表示cookie的所属路径Expiretime/Max-age：表示了cookie的... 查看详情

cookie与session区别

...乌龟运维wuguiyunwei.comQQ群:602183872主要区别：Cookie，也称为HTTPcookie，Webcookie或浏览器cookie，是从网站发送到服务器并存储在用户的Web浏览器中的一小部分数据。Cookie用于向网站创建者发送关于上次访问网站时用户以前的活动的信... 查看详情

cookie与session区别

性能测试六：jmeter进阶之cookie与header管理器

一、httpcookie管理器可以在浏览器中抓取到cookie信息，然后通过httpcookie管理器为http请求添加cookie信息添加cookie管理器后，Jmeter可以自动处理cookie登录页面：http://localhost:8080/PerfTeach/login.jsp添加购物车接口：http://localhost:80... 查看详情

第29章cookie与存储

...盘上以很小的文件形式保存数据。Cookie一.Cookiecookie也叫HTTPCookie,最初是客户端与服务器端进行会话使用的。比如,会员登录,下次回访网站时无须登录了;或者是购物车查看详情

session与cookie的区别

jmeter的httpcookie管理器怎么用

参考技术A添加cookie管理器，修改jmeter/bin路径下的jmeter配置文档，找到cookie_save什么鬼的属性，改为true本回答被提问者采纳查看详情

安全性 - 本地存储与 Cookie

】安全性-本地存储与Cookie【英文标题】：Security-LocalstoragevsCookies【发布时间】：2020-01-1023:46:45【问题描述】：您好，我有一个使用JWT进行身份验证的反应应用程序。我们将此JWT存储在本地存储中，但我们团队的安全性告诉我们... 查看详情

jmeter---处理cookie与session

...给予一定的支持。1.Cookie添加方式：线程组－配置元件－HTTPCookie管理器，如下图： 2.Session添加方式：线程组－前置处理器－HTTPURL重写修饰符，如下图：使用url重写，每次显式的在浏览器和服务器之间传递sessionid。它要求程... 查看详情

jmeter学习（二十）jmeter处理cookie与session

...一定的支持。 1.Cookie添加方式：线程组－配置元件－HTTPCookie管理器，如下图： 2.Session添加方式：线程组－前置处理器－HTTPURL重写修饰符，如下图：有些tomcat的session实现不是通过cookie的，而是通过sessionid的，就是说，用... 查看详情

单点登录与权限管理本质：cookie安全问题(代码片段)

...程中，cookie的设置和传输涉及的比较多，如何保证cookie的安全性，是这篇文章要介绍的。安全相关的知识，了解的也有限，我阅读了相关的文章，按照自己的思路、理解，进行了梳理和总结。如果把安全问题按照发生区域来划分... 查看详情

cookie/session的机制与安全

...文来详细讨论Cookie和Session的实现机制，以及其中涉及的安全问题。因为HTTP协议是无状态的，即每次用户请求到达服务器时，HTTP服务器并不知道这个用户是谁、是否登录过等。现在的服务器之所以知道我们是否已经登录，是因为... 查看详情

cookie/session的机制与安全

postman&jemeter添加cookie方法

...写要添加的cookie 2.Jemeter添加cookie1)添加HTTPCookie管理器 2）添加对应cookie的名字，值及域，注意安全栏不要勾选，否则的话它查看详情

如何在 axios 拦截器中设置 http cookie？

】如何在axios拦截器中设置httpcookie？【英文标题】：howtosethttpcookieinaxiosinterceptor?【发布时间】：2019-05-2305:53:42【问题描述】：我想知道如何为httpcookie设置axios拦截器。我在vueSPA中使用axios，后端在laravel上，API设置httpcookie，但是... 查看详情

h5实现登录

...取cookie并每次发送请求时都带着；登录请求 2、添加HTTPCookie管理器3、登录请求时，加正则表达式提取器取出返回的cookie①使用charles抓包查看cookie ②添加正则表达式提取器提取内容4、把提取的cookie填写到HTTPCookie管理器中... 查看详情

浅谈httpcookie的secure和httponly属性(代码片段)

　　最近工作中遇到了关于cookie的secure及httponly属性的问题，所以关注并学习了一段时间，这里做一下简要记录。关于secure和httponly标志的用途可以参考wikipedia.　　起因：系统PHP升级（5.1.7->5.4.5）并要求在下个升级后更新/etc/ph... 查看详情

web应用安全威胁与防治——基于owasptop10与esapi的目录

...RN121.3.3URI比较131.4HTTP消息131.4.1HTTP方法141.4.2HTTP状态码191.5HTTPCookie201.5.1HTTPCookie的作用221.5.2HTTPCookie的缺点231.6HTTPsession231.7HTTP的安全24第2章OWASP272.1OWASP简介272.2OWASP风险评估方法282.3OWASPTop10342.4ESAPI（EnterpriseSecurityAPI）35第3篇工具篇... 查看详情