Technical Insight-Vulnerabilities

httpOnly: By the [Website Vulnerability] Numbers

About a week ago Jon Passki asked me what vulnerability statistics WhiteHat Security had on httpOnly (via WhiteHat Sentinel). Vulnerability = when a website is NOT using httpOnly and it should be. For those unfamiliar, httpOnly is an HTTP cookie flag that tells supporting Web browsers to NOT allow javascript  (client-side code) to read cookie values.

 Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain <domain_name> [; path=<some_path>] [; secure][; httpOnly
 

The general purpose of httpOnly is an extra layer of defense against Cross-Site Scripting (XSS). Should an attacker attempt to exploit an XSS vulnerability, the javascript payload would not be able to steal the user’s cookies and perform session hijacking.

Anyway, let’s have a look at the vulnerability numbers. This is a snap shot as of January 17, 2013. These numbers include all [verified] httpOnly vulnerabilities identified by WhiteHat Sentinel across all websites, in all service lines, regardless of assigned severity / threat, going back to when we first began checking for the issue.

  • Total number of vulnerabilities ever identified: 523
  • Vulnerabilities [verified] closed: 91 (Remediation Rate: 17.4%)
  • Vulnerabilities re-opened at least once: 10 (Re-Open Rate: 2%)
  • Time-to-Fix (Days):
    • Standard Deviation: 88.9
    • Average: 82.2
    • Median: 45
    • Min: 0.9
    • Max: 337.2

 

  • Pingback: Liquidmatrix Security Digest Podcast – Episode 1D – Liquidmatrix Security Digest()

  • http://akashm.com Akash Mahajan

    Wow, the remediation rate percentage is pretty low!

  • http://gscom.cbt.wo.tc/xe/?mid=freeboard&listStyle=list&sort_index=readed_count&order_type=desc&page=10&document_srl=368 gscom.cbt.wo.tc

    Howdy! This is my 1st comment here so I just wanted

    to give a quick shout out and say I really enjoy reading through your blog

    posts. Can you suggest any other blogs/websites/forums that go

    over the same subjects? Thank you!