MATLAB allows creating/editing HTTPOnly cookies

6 visualizzazioni (ultimi 30 giorni)

Behzad Abdollahi il 20 Ott 2016

1
Link

Link diretto a questa domanda

https://it.mathworks.com/matlabcentral/answers/308227-matlab-allows-creating-editing-httponly-cookies

Commentato: Morrie Gasser il 6 Feb 2017

I was trying to connect from MATLAB to a RESTful API that keeps the authentication using a HTTPOnly Session cookie. In all the web browsers, HTTPOnly cookies are not editable in the browsers (the only purpose!) but interestingly MATLAB allows it(2015b)!

So what I did was to simply copy the cookie's content from a browser (user was logged in) and used the following code to SIMPLY fake that user in MATLAB!!!

cookietext = 'SESSION="123test"; Path=/; HTTPOnly'
opts = weboptions('KeyName','Cookie','KeyValue',cookietext);
response = webread(someURL,opts);

This opens a big hole for XSS attacks! why should matlab allow such a thing?

1 Commento
Mostra -1 commenti meno recentiNascondi -1 commenti meno recenti

Morrie Gasser il 6 Feb 2017

MATLAB doesn't check or parse what you put into the KeyName/KeyValue options. If you can get hold of someone else's session key, then you could use any utility outside a browser that sends HTTP headers (such as curl) to send it back to the server, thus impersonating that user. MATLAB is no different in this regard. It seems to me that the security problem, if there is one, is the fact that the browser let you copy that HTTPPonly cookie.

In your case, you copied the cookie from one of your own browser sessions to your own MATLAB session. This is not a security problem, as you are only impersonating yourself. Besides, HTTPOnly says that the cookie should only be used on HTTP requests. Since webread issues an HTTP request, this is explicitly permitted.

If you can impersonate another user without their cooperation, that would be a security problem.

Accedi per commentare.

Accedi per rispondere a questa domanda.