dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
WebGoat/webgoat/main/project/WebContent/lesson_plans/HttpOnly.html
mayhew64 ec95ba4089 Separated DB usage for messages in CSRF and Stored XSS 
Many cosmetic english changes
Fixed IE rendering for Challenge
 

git-svn-id: http://webgoat.googlecode.com/svn/trunk@350 4033779f-a91e-0410-96ef-6bf7bf53c507
2008-07-09 00:17:20 +00:00

26 lines
1.3 KiB
HTML
Raw Blame History

<div align="Center">
<p><b>Lesson Plan Title:</b> HttpOnly Test</p>
</div>
<p><b>Concept / Topic To Teach:</b></p>
<!-- Start Instructions -->
To help mitigate the cross site scripting threat, Microsoft has
introduced a new cookie attribute entitled 'HttpOnly.' If this flag is
set, then the browser should not allow client-side script to access the
cookie. Since the attribute is relatively new, several browsers neglect
to handle the new attribute properly.
<p>For a list of supported browsers see: <a href=http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly>OWASP HTTPOnly Support</a>
<p><b>General Goal(s):</b></p>
The purpose of this lesson is to test whether your browser supports the
HTTPOnly cookie flag. Note the value of the
<strong>unique2u</strong>
cookie. If your browser supports HTTPOnly, and you enable it for a
cookie, client side code should NOT be able to read OR write to that
cookie, but the browser can still send its value to the server. Some
browsers only prevent client side read access, but don't prevent write
access.
<br />
<br />
With the HTTPOnly attribute turned on, type
"javascript:alert(document.cookie)" in the browser address bar. Notice
all cookies are displayed except the unique2u cookie.
<!-- Stop Instructions -->
Reference in New Issue View Git Blame Copy Permalink