MATLAB allows creating/editing HTTPOnly cookies

2 次查看(过去 30 天)
I was trying to connect from MATLAB to a RESTful API that keeps the authentication using a HTTPOnly Session cookie. In all the web browsers, HTTPOnly cookies are not editable in the browsers (the only purpose!) but interestingly MATLAB allows it(2015b)!
So what I did was to simply copy the cookie's content from a browser (user was logged in) and used the following code to SIMPLY fake that user in MATLAB!!!
cookietext = 'SESSION="123test"; Path=/; HTTPOnly'
opts = weboptions('KeyName','Cookie','KeyValue',cookietext);
response = webread(someURL,opts);
This opens a big hole for XSS attacks! why should matlab allow such a thing?
  1 个评论
Morrie Gasser
Morrie Gasser 2017-2-6
MATLAB doesn't check or parse what you put into the KeyName/KeyValue options. If you can get hold of someone else's session key, then you could use any utility outside a browser that sends HTTP headers (such as curl) to send it back to the server, thus impersonating that user. MATLAB is no different in this regard. It seems to me that the security problem, if there is one, is the fact that the browser let you copy that HTTPPonly cookie.
In your case, you copied the cookie from one of your own browser sessions to your own MATLAB session. This is not a security problem, as you are only impersonating yourself. Besides, HTTPOnly says that the cookie should only be used on HTTP requests. Since webread issues an HTTP request, this is explicitly permitted.
If you can impersonate another user without their cooperation, that would be a security problem.

请先登录,再进行评论。

回答(0 个)

类别

Help CenterFile Exchange 中查找有关 Programming 的更多信息

产品

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!

Translated by