httponly

Question

httponly

dinahwaitat opened this issue 8 months ago · 10 comments

hello i am try with the reflected xss on the low level mode but when i try to submit the java script with the document.cookie i noticed that not all cookies appears ,, so i found that the httponly flag is activated in the cookies were there is php id session even i am working with the low level mode ,, i am using kali and installed dvwa recently and manually by git clone ,, btw i tried with firefox and chromium the same problem

Answer 1 · 2024-01-26T14:58:22.000Z

What mode were you in when the cookie was set?

Answer 2 · 2024-01-26T15:00:52.000Z

i am not sure but i think it was impossible

Answer 3 · 2024-01-26T15:05:44.000Z

how can i work at low level mode with httponly flag false as it suppose to be

Answer 4 · 2024-01-26T15:07:40.000Z

It looks like the default is now to set the flag on all cookies. I'll make a change to unset it so that it is always available. Give me an hour.

…

On Fri, 26 Jan 2024 at 15:01, dinahwaitat ***@***.***> wrote: i am not sure but i think it was impossible — Reply to this email directly, view it on GitHub <#609 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA4SWKGRFNDQAA4M6CSW33YQPAK7AVCNFSM6AAAAABCMIQOVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJSGIYDSMJSHA> . You are receiving this because you commented.Message ID: ***@***.***>

Answer 5 · 2024-01-26T15:11:24.000Z

thank you so much ,, and there is anything i have to do before retry ?

Answer 6 · 2024-01-26T16:47:20.000Z

I've tried to sort this and it is a more complicated issue than I thought. If you want to work with this, a quick fix is to edit `dvwa/includes/dvwaPage.inc.php` and change this: ``` 'httponly' => $httponly, ``` to ``` 'httponly' => false; ``` That should work I think. I'll try to do a proper fix later.

…

On Fri, 26 Jan 2024 at 15:11, dinahwaitat ***@***.***> wrote: thank you so much ,, when can i try again ?? and there is anything i have to do now before retry ? — Reply to this email directly, view it on GitHub <#609 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA4SWLNKIGQSWKU3XLITALYQPBSNAVCNFSM6AAAAABCMIQOVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJSGIZDKMRSGQ> . You are receiving this because you commented.Message ID: ***@***.***>

Answer 7 · 2024-01-26T17:04:09.000Z

thank u for your effort i have three question:

do u think my problem in this section within dvwapage.inc.php :
// Valid security levels
$security_levels = array('low', 'medium', 'high', 'impossible');
if( !isset( $_COOKIE[ 'security' ] ) || !in_array( $_COOKIE[ 'security' ], $security_levels ) ) {
// Set security cookie to impossible if no cookie exists
if( in_array( $_DVWA[ 'default_security_level' ], $security_levels) ) {
dvwaSecurityLevelSet( $_DVWA[ 'default_security_level' ] );
} else {
dvwaSecurityLevelSet( 'impossible' ); // maybe here ?
```
 }
```
and this is where u want me to set httponly true 👍
session_set_cookie_params([
'lifetime' => $maxlifetime,
'path' => '/',
'domain' => $domain,
'secure' => $secure,
'httponly' => $httponly, // here right ?
'samesite' => $samesite
]);
when this issue will be solved please ,, again and again thank u so much

Answer 8 · 2024-01-26T17:35:52.000Z

1 yes it is in there. To change the flag you need to regenerate the session ID which causes it to be sent to the user again with the new flag. This doesn't do that. 2 yes. If you then delete your session in the browser the new cookie which is set should not have the flag 3 when I have a spare couple of hours. I spent an hour on it earlier, I have a fix but it's buggy for some reason. I'll update the ticket when done.

…

On Fri, 26 Jan 2024, 17:04 dinahwaitat, ***@***.***> wrote: thank u for your effort i have three question: 1. do u think my problem in this section within dvwapage.inc.php : // Valid security levels $security_levels = array('low', 'medium', 'high', 'impossible'); if( !isset( $_COOKIE[ 'security' ] ) || !in_array( $_COOKIE[ 'security' ], $security_levels ) ) { // Set security cookie to impossible if no cookie exists if( in_array( $_DVWA[ 'default_security_level' ], $security_levels) ) { dvwaSecurityLevelSet( $_DVWA[ 'default_security_level' ] ); } else { dvwaSecurityLevelSet( 'impossible' ); // maybe here ? } 2. and this is where u want me to set httponly true 👍 session_set_cookie_params([ 'lifetime' => $maxlifetime, 'path' => '/', 'domain' => $domain, 'secure' => $secure, 'httponly' => $httponly, // here right ? 'samesite' => $samesite ]); 3. when this issue will be solved please ,, again and again thank u so much — Reply to this email directly, view it on GitHub <#609 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA4SWPKXZ37GWALO3PV4LTYQPOZJAVCNFSM6AAAAABCMIQOVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJSGM4DSOJXHE> . You are receiving this because you commented.Message ID: ***@***.***>

Answer 9 · 2024-01-29T10:43:32.000Z

This should now be fixed with the update 7671c3a. You will need to update your repo to test it.

Any problems, let me know.

Answer 10 · 2024-03-12T11:38:44.000Z

Fairly sure this is fixed now.