6a96547ef0
git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507
26 lines
1.3 KiB
HTML
26 lines
1.3 KiB
HTML
<div align="Center">
|
|
<p><b>Lesson Plan Title:</b> HttpOnly Test</p>
|
|
</div>
|
|
<p><b>Concept / Topic To Teach:</b></p>
|
|
<!-- Start Instructions -->
|
|
To help mitigate the cross site scripting threat, Microsoft has
|
|
introduced a new cookie attribute entitled 'HttpOnly.' If this flag is
|
|
set, then the browser should not allow client-side script to access the
|
|
cookie. Since the attribute is relatively new, several browsers neglect
|
|
to handle the new attribute properly.
|
|
<p>For a list of supported browsers see: <a href=http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly>OWASP HTTPOnly Support</a>
|
|
<p><b>General Goal(s):</b></p>
|
|
The purpose of this lesson is to test whether your browser supports the
|
|
HTTPOnly cookie flag. Note the value of the
|
|
<strong>unique2u</strong>
|
|
cookie. If your browser supports HTTPOnly, and you enable it for a
|
|
cookie, client side code should NOT be able to read OR write to that
|
|
cookie, but the browser can still send its value to the server. Some
|
|
browsers only prevent client side read access, but don't prevent write
|
|
access.
|
|
<br />
|
|
<br />
|
|
With the HTTPOnly attribute turned on, type
|
|
"javascript:alert(document.cookie)" in the browser address bar. Notice
|
|
all cookies are displayed except the unique2u cookie.
|
|
<!-- Stop Instructions --> |