The secure attribute the secure attribute only

This preview shows page 10 - 19 out of 32 pages.

The ‘Secure’ Attribute The ‘Secure’ attribute only protects the confidentiality of a cookie against MiTM attackers there is no integrity protection!* Mallory can’t read ‘secure’ cookies Mallory can still write/change ‘secure’ cookies
Image of page 10

Subscribe to view the full document.

THE ‘HTTPONLY’ ATTRIBUTE Keeping JavaScript’s Hands Away from the Cookie Jar
Image of page 11
The ‘HttpOnly’ Attribute “Cookies marked with the ‘HttpOnly’ attribute are not accessible from JavaScript and therefore unaffected by cross- site scripting (XSS) attacks.” True or false?
Image of page 12

Subscribe to view the full document.

The ‘HttpOnly’ Attribute Picture by Greg Putrich (flickr.com) Only confidentiality protected in practice HttpOnly-cookies can be replaced by overflowing the cookie jar from JavaScript
Image of page 13
DEMO Overwriting a Cookie Marked as ‘HttpOnly’ from JavaScript
Image of page 14

Subscribe to view the full document.

THE ‘PATH’ ATTRIBUTE Isolating Cookies to Specific Paths
Image of page 15
The ‘Path’ Attribute “The ‘Path’ attribute limits the scope of a cookie to a specific path on the server and can therefore be used to prevent unauthorized access to it from other applications on the same host.” True or false?
Image of page 16

Subscribe to view the full document.

The ‘Path’ Attribute Cookie Scope vs. Same-origin Policy Host/domain Path Port & Protocol Cookie Scope Same-origin Policy
Image of page 17
The ‘Path’ Attribute example .com /App1 https (443) Isolated in terms of cookie scope Not isolated in terms of SOP!
Image of page 18

Subscribe to view the full document.

Image of page 19
  • Fall '19

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Ask Expert Tutors You can ask 0 bonus questions You can ask 0 questions (0 expire soon) You can ask 0 questions (will expire )
Answers in as fast as 15 minutes