XMLHTTPRequest set-cookie exposure

Zhumengxin / webgoat

Automatically exported from code.google.com/p/webgoat

0 stars 0 forks source link

XMLHTTPRequest set-cookie exposure #18

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

Hello WebGoat team.

I've noticed that the new patch from Microsoft patches XMLHTTPRequest
set-cookie exposure to HTTPOnly cookies.
http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx

And although this patch really does block at least set-cookie exposure
(This is the result of pressing the XMLHTTPRequest Read button)

WebGoat is still showing a failure, screen shots below.

This was confirmed on XP/IE 7.0.5730.13

Original issue reported on code.google.com by mayhe...@gmail.com on 14 Nov 2008 at 4:09

GoogleCodeExporter commented 9 years ago

Can we also change this lab to test for both set-cookie and set-cookie2 
exposure of
HTTPOnly cookies via the XMLHTTPRequest Read button? 
http://ha.ckers.org/httponly.cgi
was changed today to test for both.

Original comment by manico.james@gmail.com on 14 Nov 2008 at 8:48

GoogleCodeExporter commented 9 years ago

I think the request here is for the HTTPOnly lesson use set-cookie and 
set-cookie2

Original comment by mayhe...@gmail.com on 26 Apr 2012 at 7:29

GoogleCodeExporter commented 9 years ago

Original comment by mayhe...@gmail.com on 27 Apr 2012 at 1:21

GoogleCodeExporter commented 9 years ago

Original comment by mayhe...@gmail.com on 8 May 2012 at 11:05