Technical Insight-Vulnerabilities

httpOnly: By the [Website Vulnerability] Numbers

About a week ago Jon Passki asked me what vulnerability statistics WhiteHat Security had on httpOnly (via WhiteHat Sentinel). Vulnerability = when a website is NOT using httpOnly and it should be. For those unfamiliar, httpOnly is an HTTP cookie flag that tells supporting Web browsers to NOT allow javascript  (client-side code) to read cookie values.

 Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain <domain_name> [; path=<some_path>] [; secure][; httpOnly

The general purpose of httpOnly is an extra layer of defense against Cross-Site Scripting (XSS). Should an attacker attempt to exploit an XSS vulnerability, the javascript payload would not be able to steal the user’s cookies and perform session hijacking.

Anyway, let’s have a look at the vulnerability numbers. This is a snap shot as of January 17, 2013. These numbers include all [verified] httpOnly vulnerabilities identified by WhiteHat Sentinel across all websites, in all service lines, regardless of assigned severity / threat, going back to when we first began checking for the issue.

  • Total number of vulnerabilities ever identified: 523
  • Vulnerabilities [verified] closed: 91 (Remediation Rate: 17.4%)
  • Vulnerabilities re-opened at least once: 10 (Re-Open Rate: 2%)
  • Time-to-Fix (Days):
    • Standard Deviation: 88.9
    • Average: 82.2
    • Median: 45
    • Min: 0.9
    • Max: 337.2