Search
Joe Pruitt - A Software Architect's take on Network Security
You are here: DevCentral > Weblogs

Stop Those XSS Cookie Bandits iRule Style

posted on Friday, August 29, 2008 3:18 PM

ChocolateChipCookiesIn a recent post, CodingHorror blogged about a story of one of his friends attempts at writing his own HTML sanitizer for his website.

I won't bother repeating the details but it all boils down to the fact that his friend noticed users were logged into his website as him and hacking away with admin access.  How did this happen?  It turned out to be a Cross Site Scripting attack (XSS) that found it's way around his HTML sanitizing routines.  A user posted some content that included mangled JavaScript that made an external reference including all history and cookies of the current users session to an alternate machine.

CodingHorror recommended adding the HttpOnly attribute to Set-Cookie response headers to help protect these cookies from being able to make their way out to remote machines.  Per his blog post:

  • HttpOnly restricts all access to document.cookie in IE7, Firefox 3, and Opera 9.5 (unsure about Safari)
  • HttpOnly removes cookie information from the response headers in XMLHttpObject.getAllResponseHeaders() in IE7. It should do the same thing in Firefox, but it doesn't, because there's a bug.
  • XMLHttpObjects may only be submitted to the domain they originated from, so there is no cross-domain posting of the cookies.

Whenever I hear about modifications made to backend servers, alarms start going off in my head and I get to thinking about how this can be accomplished on the network transparently.  Well, if you happen to have a BIG-IP, then it's quite easy.  A simple iRule can be constructed that will check all the response cookies and if they do not already have the HttpOnly attribute, then add it.  I went one step further and added a check for the "Secure" attribute and added that one in as well for good measure. 

when HTTP_RESPONSE {
  foreach cookie [HTTP::cookie names]
  {
    set value [HTTP::cookie value $cookie];
    if { "" != $value }
    {
      set testvalue [string tolower $value]
      set valuelen [string length $value]
      #log local0. "Cookie found: $cookie = $value";
      switch -glob $testvalue {
        "*;secure*" -
        "*; secure*" { }
        default { set value "$value; Secure"; }
      }
      switch -glob $testvalue {
        "*;httponly*" -
        "*; httponly*" { }
        default { set value "$value; HttpOnly"; }
      }
      if { [string length $value] > $valuelen} {
        #log local0. "Replacing cookie $cookie with $value"
        HTTP::cookie value $cookie "${value}"
      }
    }
  }
}

If you are only concerned with the Secure attribute, then you can always use the "HTTP::cookie secure" command but as far as I can tell it won't include the HttpOnly attribute.

So, if you determine that HttpOnly cookies are the way you want to go, you could manually configure these on all of your applications on your backend servers.  Or... you could configure it in one place on the network.  I think I prefer the second option.

-Joe


Posted In: BIG-IP, iRules, Security,

2 Comments

Feedback
1/1/2009 9:36 AM
Gravatar i would like to stop the unwanted cookies in ie7
leroy
3/17/2009 12:18 PM
Gravatar Joe,

So does the iRule work just as written above? I have a customer who wants to make sure all the cookies are "secure", so I took notice to your line about the "HTTP::cooke secure" command, but didn't see that in the iRule itself, but it looks like there's code in there that deals with the security. I'm not very good at coding, so I apologize, but just wanted to know if I grab the iRule as is above if it'll work out of the box.

Thanks!
Eric
Eric Oakeson

Let Me Know What You Think

Please use the form below if you have any comments, questions, or suggestions.

Title:
 
Name:
 
Email: (so we can show your gravatar)
Website:
Comment: Allowed tags: blockquote, a, strong, em, p, u, strike, super, sub, code
 
Please add 4 and 2 and type the answer here:

Links

  
Are you interested in:
Search DevCentral to get answers to your questions.

Blog Stats

Posts:379
Comments:1067
Stories:1
Trackbacks:301
  

Tags

  

Post Categories

  

Article Categories

  iRules
  

Archives

  

Image Galleries

  

BlogRoll

  

Joe's bookshelf: read

The Lost Gate
4 of 5 stars
The Lost Gate
by Orson Scott Card
This one started slow but I got really got into it about 1/3 of the way through. If you are an Ender's Game fan, you'll probably like this one as well.
The River of Doubt: Theodore Roosevelt's Darkest Journey
4 of 5 stars
The River of Doubt: Theodore Roosevelt's Darkest Journey
by Candice Millard
Gideon's Sword
3 of 5 stars
Gideon's Sword
by Douglas Preston
The Necromancer
4 of 5 stars
The Necromancer
by Michael Scott
The Sorceress
4 of 5 stars
The Sorceress
by Michael Scott

goodreads.com


82,243 Members in 102 Countries and Growing!

Join DevCentral Today!

About DevCentral

DevCentral has been a successful, thriving community for many years. We have always strived to bring you the best technical documentation, discussion forums, blogs, media and much more that we can.

So dive in, get familiar with DevCentral. We hope you like it, we hope it makes your job easier, and lets you get that much more power out of the community. To learn more, make sure to check out the Getting Started section. And if you have any problems, or think something could be easier to use, drop us a line to let us know.

Got It !

We've received your comment and transmitted it directly to DevCentral HQ.

Thanks for taking time to let us know what's on your mind. At DevCentral | Community Matters!

Get In Touch With Us

Have questions, suggestions or just want to get something off your chest?

Use our handy form below to Direct Connect with DevCentral Mission Control.

Send Us Feedback       or
Copyright 1996 - 2011 F5 Networks, Inc.

Powered by the DevCentral Crew  |  Privacy Statement   |  Terms Of Use  |  Code of Conduct

Page generated faster than you can blink!