views:

343

answers:

2

Searching for possible ways to get cookie with httpOnly enabled, I cannot find any. But then again, how do browser addons like Firebug, Add 'N Edit Cookie, etc. can get the cookies? Can't an attacker do the same?

So my question is, is it really, really impossible to get cookie of httpOnly enabled requests, using javascript?

p/s: Yes I'm aware httpOnly doesn't stop XSS attacks. I'm also aware it's futile against sniffers. Let's just focus on javascript, sort of alert(document.cookie) type / pre httpOnly era.

+3  A: 

Hi,

how do browser addons like Firebug, Add 'N Edit Cookie, etc. can get the cookies?

They are browser extensions, and the browser has access to the cookies ; extensions have a higher level of privileges than you JS code.

is it really, really impossible to get cookie of httpOnly enabled requests, using javascript?

Provided you are using a browser (ie, a quite recent browser) that support httpOnly and doesn't have a security bug about it, it should be impossible -- that's the goal of httpOnly.

Quoting wikipedia :

When the browser receives such a cookie, it is supposed to use it as usual in the following HTTP exchanges, but not to make it visible to client-side scripts.

Pascal MARTIN
+1  A: 

Firebug and other addons can do that because they are not running under security restrictions imposed to the JavaScripts of the web pages.

Havenard