XMLHTTPRequest set-cookie exposure

[GoogleCodeExporter]

Hello WebGoat team.

I've noticed that the new patch from Microsoft patches XMLHTTPRequest
set-cookie exposure to HTTPOnly cookies.
http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx

And although this patch really does block at least set-cookie exposure
(This is the result of pressing the XMLHTTPRequest Read button)



WebGoat is still showing a failure, screen shots below.

This was confirmed on XP/IE 7.0.5730.13

Original issue reported on code.google.com by [email protected] on 14 Nov 2008 at 4:09

[GoogleCodeExporter]

Can we also change this lab to test for both set-cookie and set-cookie2 
exposure of
HTTPOnly cookies via the XMLHTTPRequest Read button? 
http://ha.ckers.org/httponly.cgi
was changed today to test for both.

Original comment by [email protected] on 14 Nov 2008 at 8:48

[GoogleCodeExporter]

I think the request here is for the HTTPOnly lesson use set-cookie and 
set-cookie2

Original comment by [email protected] on 26 Apr 2012 at 7:29

[GoogleCodeExporter]

Original comment by [email protected] on 27 Apr 2012 at 1:21

[GoogleCodeExporter]

Original comment by [email protected] on 8 May 2012 at 11:05