3

If for example, an installed third party package issues an HTTP request to their servers, and by default, any HTTP request leaves with the cookies content in the request headers, doesn't it make the content to be exposed to the server who receives the request? I don't get how httpOnly prevents from the access token to be revealed...

Raz Buchnik
  • 7,753
  • 14
  • 53
  • 96
  • `httpOnly` is to prevent spoofing. If you want to secure your cookies you should also use `secure:true` – Eldar Jan 17 '22 at 18:02
  • But, `secure: true` only forces HTTPS, so others on the same Internet cannot understand the actual content in it, but the receiver does. – Raz Buchnik Jan 17 '22 at 18:03
  • Sorry "so others on the same Internet cannot understand the actual content in it" is not true. HTTPS is meant to prevent that from happening. – Eldar Jan 17 '22 at 18:04

2 Answers2

4

HTTP requests carry with it only cookies that are applicable to the domain being requested, not all of the browser's cookies. If you have a browser with cookies for bank.com, shop.com, and evil-site.com, a request to evil-site.com would only send evil-site.com cookies with the request. Not so useful.

Now say a malicious script has infected bank.com and has placed itself on a page in that domain. Now that script is running in the context of bank.com and the currently viewing user. It can now read bank.com's non-HttpOnly cookies using document.cookie and send them to evil-site.com with a simple script. This means that if you logged in to bank.com and viewed that infected page, your login cookies can now be stolen.

Marking a cookie as HttpOnly tells the browser not to expose the cookie to JavaScript, i.e. any script, legit or not, cannot read the cookie's value from document.cookie. So if bank.com made their login cookie HttpOnly, this cookie would not be readable by any script on the page. However, the cookie is still passed back and forth between browser and bank.com in requests and responses while the cookies are present and valid.

HttpOnly is just one of the many measures to prevent cookie theft and should be complemented by other security features. Secure makes sure the cookie is only ever sent through HTTPS connections. SameSite defines when the cookie is allowed to cross sites. HTTPS connections prevent reading the request over the network.

Joseph
  • 117,725
  • 30
  • 181
  • 234
  • Great explanation. I have tried to send request with `withCredentials: true` from a web client in `localhost:8080` to backend API in `localhost:3002` which allowed a CORS header respectively to the client - otherwise the request would be denied. The request did receive with the cookie and it was auto added to the browser under domain "localhost" in the cookie section. I then requested another API, also on localhost but on port 3003, which also allowed the CORS for the 8080, and the cookie with the `httpOnly` was sent as well and was able to be read from the 3003. – Raz Buchnik Jan 17 '22 at 21:59
  • Well I have tested it from localhost:8080 to some different real domain (actually changed the /etc/hosts file) and it worked! no cookies did pass! Amazing. – Raz Buchnik Jan 17 '22 at 22:32
3

The httpOnly attribute purpose is to hide the cookie from the JavaScript context.

To observe it, you can type document.cookie in the console of any web page, and you'll notice that the result contains all of the cookies that are not httpOnly and from the current domain. You can verify it with the Application tab of the DevTools.

That means if an attacker somehow manages to execute malicious code on a user's web page (e.g. by exploiting a script injection vulnerability), he may be able to send requests on behalf of that user but he should not be able to retrieve the cookie's value.

Guerric P
  • 30,447
  • 6
  • 48
  • 86
  • What's the point in hiding the cookie, if the attacker can still send malicious requests over the browser anyway? – Myzel394 Oct 15 '22 at 10:22
  • 1
    When an attacker accesses the web page context, it's often through a XSS vulnerability which doesn't allow a full remote control of that web page to send forged requests. Also, there are limitations when it comes to request forging in the browser: some headers like the [Fetch Metadata Request Headers](https://www.w3.org/TR/fetch-metadata/) cannot be faked. On the other hand, an authentication token theft would result in a full privilege elevation for the attacker. – Guerric P Oct 15 '22 at 18:33
  • 1
    That makes sense. Also in addition, with a `httpOnly` cookie, the actual browser must be running. If the user simply closes it or shuts down their PC, the attacker can't execute any more requests. When the attacker has full access to the token, they can also distribute it to many PCs with many IP address, thus also bypassing any simple IP throttling on the server. Afaik, such a vulnerability has been found in Microsoft's MFA, an attacker could simply bruteforce the token by using many IP addresses. – Myzel394 Oct 16 '22 at 09:52