Bugtraq mailing list archives
RE: A technique to mitigate cookie-stealing XSS attacks
From: "Michael Howard" <mikehow () microsoft com>
Date: Thu, 7 Nov 2002 14:49:34 -0800
We added a feature kinda like this to IE6, you can mark a <FRAME> with:
<FRAME SECURITY=RESTRICTED ....>
<!-- blah blah -->
</FRAME>
And this will force all content into the IE Restricted Zone, which, by
default will not allow much of anything to work.
Cheers, Michael
Secure Windows Initiative
Writing Secure Code
http://www.microsoft.com/mspress/books/5612.asp
-----Original Message-----
From: Justin King [mailto:justin () othius com]
Sent: Thursday, November 07, 2002 12:27 PM
To: bugtraq () securityfocus com
Cc: Michael Howard
Subject: Re: A technique to mitigate cookie-stealing XSS attacks
I would be very interested in major browsers supporting a <dead> tag
with an optional parameter to be a hash of the data between the opening
and closing dead tag. This tag would indicate that no "live" elements of
HTML be supported (e.g., JavaScript, VBScript, embed, object).
I know this has been suggested before. I would prefer to see RFC
covering this, with support an implementation immediately following.
-Justin
----- Original Message -----
From: "Michael Howard" <mikehow () microsoft com>
To: <bugtraq () securityfocus com>
Sent: Tuesday, November 05, 2002 13:44
Subject: A technique to mitigate cookie-stealing XSS attacks
During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet
Explorer team devised a method to reduce the risk of cookie-stealing
attacks via XSS vulnerabilities.
In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
trailing HttpOnly (case insensitive) it will return an empty string to
the browser when accessed from script, such as by using document.cookie.
Obviously, the server must add this option to all outgoing cookies.
Note, this does _not fix_ XSS bugs in server code; it only helps reduce
the potential damage from cookie disclosure threats. Nothing more. Think
of it as a very small insurance policy!
A full write-up outlining the HttpOnly flag, as well as source code to
set this option, is at
http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp.
Cheers, Michael Howard
Secure Windows Initiative
Microsoft Corp.
Writing Secure Code http://www.microsoft.com/mspress/books/5612.asp
Current thread:
- Re: A technique to mitigate cookie-stealing XSS attacks, (continued)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks David Wagner (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Justin King (Nov 09)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- RE: A technique to mitigate cookie-stealing XSS attacks jasonk (Nov 12)
- Re: A technique to mitigate cookie-stealing XSS attacks Seth Arnold (Nov 14)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- Re: A technique to mitigate cookie-stealing XSS attacks Matthew Collins (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Nick Simicich (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Peter Watkins (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Steven M. Christey (Nov 08)
- RE: A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 08)
- RE: A technique to mitigate cookie-stealing XSS attacks NESTING, DAVID M (SBCSI) (Nov 09)
- RE: A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 11)
- Re: A technique to mitigate cookie-stealing XSS attacks Jeremiah Grossman (Nov 11)
- RE: A technique to mitigate cookie-stealing XSS attacks Jason Coombs (Nov 12)
- RE: A technique to mitigate cookie-stealing XSS attacks Steven M. Christey (Nov 13)
- RE: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 15)
- RE: A technique to mitigate cookie-stealing XSS attacks Eric Stevens (Nov 15)