In 2002, Microsoft introduced a new cookie property called “HttpOnly.” While you can set the property programmatically on a per-cookie basis, you also can set it globally in the site configuration.

Vulnerable configuration:

<configuration>
  <system.web>
    <httpCookies httpOnlyCookies=”false”>

Secure configuration:

<configuration>
  <system.web>
    <httpCookies httpOnlyCookies=”true”>

Summary

Any cookie marked with this property will be accessible only from server-side code, and not to any client-side scripting code like JavaScript or VBScript. This shielding of cookies from the client helps to protect Web-based applications from Cross-Site Scripting attacks. A hacker initiates a Cross-Site Scripting (also called CSS or XSS) attack by attempting to insert his own script code into the Web page to get around any application security in place. Any page that accepts input from a user and echoes that input back is potentially vulnerable. For example, a login page that prompts for a user name and password and then displays “Welcome back, <username>” on a successful login may be susceptible to an XSS attack.

Message boards, forums, and wikis are also often vulnerable to application security issues. In these sites, legitimate users post their thoughts or opinions, which are then visible to all other visitors to the site. But an attacker, rather than posting about the current topic, will instead post a message such as “<script>alert(document.cookie);</script>”. The message board now includes the attacker’s script code in its page code-and the browser then interprets and executes it for future site visitors. Usually attackers use such script code to try to obtain the user’s authentication token (usually stored in a cookie), which they could then use to impersonate the user. When cookies are marked with the “HttpOnly” property, their values are hidden from the client, so this attack will fail.

As mentioned earlier, it is possible to enable “HttpOnly” programmatically on any individual cookie by setting the “HttpOnly” property of the “HttpCookie” object to “true.” However, it is easier and more reliable to configure the application to automatically enable “HttpOnly” for all cookies. To do this, set the “httpOnlyCookies” attribute of the <httpCookies> element to “true.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.