Insecurely generated cookies - HttpOnly - Dart

Need

Secure generation of cookies with the HttpOnly attribute

Context

Usage of Dart 2.0 for building high-performance, cross-platform applications
Usage of Shelf for managing and organizing data in a Node.js application

Description

Insecure Code Example

import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  return shelf.Response.ok('Hello, World!')
      .change(headers: {
        'Set-Cookie': 'sessionId=38afes7a8; path=/; domain=.example.com'
      });
}

In the above code, a cookie named `sessionId` is being set without the `HttpOnly` attribute. The `HttpOnly` attribute is a flag that can be included in a Set-Cookie HTTP response header. Using the `HttpOnly` flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. If a browser that supports `HttpOnly` detects a cookie containing the `HttpOnly` flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This essentially makes the cookie inaccessible to client side scripting thus mitigating the risk of a client side script accessing a protected cookie and thus, also mitigating the risk of cross-site scripting attacks. In the provided code, the `sessionId` cookie is generated without the `HttpOnly` flag, which means that it's accessible via client-side script. This is a security vulnerability as it exposes the session ID in the cookie to potential Cross-Site Scripting (XSS) attacks. An attacker can exploit this vulnerability to hijack the user's session, leading to potential unauthorized access to the system.

Steps

Identify the part of the code where the cookie is being set.
Add the 'HttpOnly' attribute to the 'Set-Cookie' header.
Ensure that the 'HttpOnly' attribute is set to true. This will prevent the cookie from being accessed through client-side scripts.
Test the application to ensure that the 'HttpOnly' attribute is being properly set and that the cookie cannot be accessed through client-side scripts.

Secure Code Example

import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  return shelf.Response.ok('Hello, World!')
      .change(headers: {
        'Set-Cookie': 'sessionId=38afes7a8; HttpOnly; path=/; domain=.example.com'
      });
}

The original code was setting a cookie without the `HttpOnly` attribute. This attribute is important because it helps to mitigate the risk of cross-site scripting (XSS) attacks by preventing the cookie from being accessed via JavaScript. In the fixed code, the `HttpOnly` attribute is added to the `Set-Cookie` header. This is done by simply appending `HttpOnly;` to the string that sets the cookie. Now, the cookie `sessionId` is set with the `HttpOnly` attribute, which means it cannot be accessed through client-side scripts. This is a good practice to enhance the security of your application. Remember to test your application after making this change to ensure that everything works as expected and the `HttpOnly` attribute is being properly set.

References

128 - Insecurely generated cookies - HttpOnly

Last updated

2023/09/18