October 23 2002, Microsoft issued a press release describing a new browser/server based protective security measure within of internet explorer 6 sp1. This new feature, dubbed “httponly”, helps guard http cookies against xss (cross-site scripting) attack. WhiteHat Security, heavily focused on web application security research and technology, began to investigate the feature in order to determine what it meant to web security. First of all, anything that attempts to help prevent the xss plague on the web is a good thing. Most of us in the web application security field already know the great pains required to prevent the ever-present existence of xss issues.
After much security review, I posted to bugtraq stating that the new httpOnly security feature, which is nicely effective for the intended purpose, is limited in xss protection scope. Limited in that the security feature only prohibits the exposure of cookie data through the “document.cookie” object. However, Microsoft has taken an excellent first step in the right direction to prevent xss as a whole.
Download the paper in PDF format here.