MATLAB allows creating/editing HTTPOnly cookies

6 Ansichten (letzte 30 Tage)

Behzad Abdollahi am 20 Okt. 2016

1
Verknüpfen

Direkter Link zu dieser Frage

https://de.mathworks.com/matlabcentral/answers/308227-matlab-allows-creating-editing-httponly-cookies

Kommentiert: Morrie Gasser am 6 Feb. 2017

I was trying to connect from MATLAB to a RESTful API that keeps the authentication using a HTTPOnly Session cookie. In all the web browsers, HTTPOnly cookies are not editable in the browsers (the only purpose!) but interestingly MATLAB allows it(2015b)!

So what I did was to simply copy the cookie's content from a browser (user was logged in) and used the following code to SIMPLY fake that user in MATLAB!!!

cookietext = 'SESSION="123test"; Path=/; HTTPOnly'
opts = weboptions('KeyName','Cookie','KeyValue',cookietext);
response = webread(someURL,opts);

This opens a big hole for XSS attacks! why should matlab allow such a thing?

1 Kommentar
-1 ältere Kommentare anzeigen-1 ältere Kommentare ausblenden

Morrie Gasser am 6 Feb. 2017

MATLAB doesn't check or parse what you put into the KeyName/KeyValue options. If you can get hold of someone else's session key, then you could use any utility outside a browser that sends HTTP headers (such as curl) to send it back to the server, thus impersonating that user. MATLAB is no different in this regard. It seems to me that the security problem, if there is one, is the fact that the browser let you copy that HTTPPonly cookie.

In your case, you copied the cookie from one of your own browser sessions to your own MATLAB session. This is not a security problem, as you are only impersonating yourself. Besides, HTTPOnly says that the cookie should only be used on HTTP requests. Since webread issues an HTTP request, this is explicitly permitted.

If you can impersonate another user without their cooperation, that would be a security problem.

Melden Sie sich an, um zu kommentieren.

Melden Sie sich an, um diese Frage zu beantworten.