--- layout: post status: publish published: true title: httpOnly Cookie Detection wordpress_id: 291 wordpress_url: http://pro.grammatic.org/post-httponly-cookie-detection-7.aspx date: !binary |- MjAwNy0wNS0xNSAxMzo1NDo1NyArMDIwMA== date_gmt: !binary |- MjAwNy0wNS0xNSAxMzo1NDo1NyArMDIwMA== categories: - Technology - InfoSec tags: - information security - XSS - cookies comments: [] ---
Admittedly of limited use, here is a JavaScript function I wrote to detect the presence of httpOnly cookies. In Firefox the function will overwrite the real value of the cookie, so before using this function it is vital to try and read the cookie normally! Here is the script embedded in a test PHP page.
{% highlight html %}This works because when setting a cookie under Internet Explorer (which supports httpOnly) with the same name as an httpOnly cookie the set operation fails and therefore a simple comparison of the cookie state after the set reveals this, which can be assumed to be an httpOnly cookie. Obviously this requires the attacker to be able to guess the name of the httpOnly cookie in advance but may actually be of most use (at present) as a browser detection agent.