httpOnly: By the [Website Vulnerability] Numbers

About a week ago Jon Passki asked me what vulnerability statistics WhiteHat Security had on httpOnly (via WhiteHat Sentinel). Vulnerability = when a website is NOT using httpOnly and it should be. For those unfamiliar, httpOnly is an HTTP cookie flag that tells supporting Web browsers to NOT allow javascript  (client-side code) to read cookie values.

 Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain <domain_name> [; path=<some_path>] [; secure][; httpOnly

The general purpose of httpOnly is an extra layer of defense against Cross-Site Scripting (XSS). Should an attacker attempt to exploit an XSS vulnerability, the javascript payload would not be able to steal the user’s cookies and perform session hijacking.

Anyway, let’s have a look at the vulnerability numbers. This is a snap shot as of January 17, 2013. These numbers include all [verified] httpOnly vulnerabilities identified by WhiteHat Sentinel across all websites, in all service lines, regardless of assigned severity / threat, going back to when we first began checking for the issue.

  • Total number of vulnerabilities ever identified: 523
  • Vulnerabilities [verified] closed: 91 (Remediation Rate: 17.4%)
  • Vulnerabilities re-opened at least once: 10 (Re-Open Rate: 2%)
  • Time-to-Fix (Days):
    • Standard Deviation: 88.9
    • Average: 82.2
    • Median: 45
    • Min: 0.9
    • Max: 337.2


This entry was posted in Technical Insight, Vulnerabilities on by .

About Jeremiah Grossman

Jeremiah Grossman is the Founder of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Over the last decade, Jeremiah has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world. As a well-known security expert and industry veteran, Jeremiah has been a guest speaker on six continents at hundreds of events including TED, BlackHat Briefings, RSA, SANS, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, and UCLA. Jeremiah is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. He serves on the advisory board of two hot start-ups, Risk I/O and SD Elements, and is a Brazilian Jiu-Jitsu Black Belt. Before founding WhiteHat, he was an information security officer at Yahoo! Jeremiah can be found on Twitter @jeremiahg.