如何使用JavaScript读取安全Cookie [英] How to read a secure cookie using JavaScript

问题描述

有什么方法可以用javascript读取一个安全的cookie吗？我试图使用document.cookie，就我可以看到这里 http：// securitymusings .com / article / 909 / secure-cookies-the-httponly-flag 我无法以这种方式访问​​安全Cookie。

Is there any way to read a secure cookie with javascript? I tried to do it using document.cookie and as far as I can see here http://securitymusings.com/article/909/secure-cookies-the-httponly-flag I cannot access a secure cookie this way.

任何人都可以为我提供解决方法？

Can anyone offer me a workaround?

推荐答案

不同的浏览器在设置HTTPOnly 标志时启用不同的安全措施。例如Opera和Safari不会阻止javascript写入cookie。但是，在所有主要浏览器的最新版本上总是禁止阅读。

Different Browsers enable different security measures when the HTTPOnly flag is set. For instance Opera and Safari do not prevent javascript from writing to the cookie. However, reading is always forbidden on the latest version of all major browsers.

但更重要的是为什么要阅读 HTTPOnly Cookie？如果您是开发人员，只需停用标记，并确保测试您的代码为xss 。我建议你避免禁用此标志，如果可能的话。应始终设置 HTTPOnly 标志和安全标志（强制通过https发送cookie）。

But more importantly why do you want to read an HTTPOnly cookie? If you are a developer, just disable the flag and make sure you test your code for xss. I recommend that you avoid disabling this flag if at all possible. The HTTPOnly flag and "secure flag" (which forces the cookie to be sent over https) should always be set.

如果您是攻击者，则需要劫持会话。但是有一个简单的方法来劫持会话，尽管 HTTPOnly 标志。你仍然可以在不知道会话ID的情况下骑行。 MySpace Sammy蠕虫确实如此。它使用XHR读取CSRF令牌，然后执行授权的任务。有攻击者几乎可以做任何登录用户可以做的事情。

If you are an attacker, then you want to hijack a session. But there is an easy way to hijack a session despite the HTTPOnly flag. You can still ride on the session without knowing the session id. The MySpace Sammy worm did just that. It used an XHR to read a CSRF token and then perform an authorized task. There for the attacker could do almost anything that the logged user could do.

人们对 HTTPOnly 标志太信任，XSS仍然可以利用。您应该在敏感功能周围设置障碍。如更改密码字段需要当前密码。管理员创建新帐户的能力需要验证码，这是一个 CSRF预防技术，它不能被XHR轻易绕过。

People have too much faith in the HTTPOnly flag, XSS can still be exploitable. You should setup barriers around sensitive features. Such as the change password filed should require the current password. An admin's ability to create a new account should require a captcha, which is a CSRF prevention technique that cannot be easily bypassed with an XHR.

这篇关于如何使用JavaScript读取安全Cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！