Bugtraq mailing list archives
Re: A technique to mitigate cookie-stealing XSS attacks
From: Seth Arnold <sarnold () wirex com>
Date: Mon, 11 Nov 2002 12:29:41 -0800
On Sun, Nov 10, 2002 at 04:21:41AM +0100, Ulf Harnhammar wrote:
On Thu, 7 Nov 2002, Justin King wrote:I would be very interested in major browsers supporting a <dead> tag with an optional parameter to be a hash of the data between the opening and closing dead tag. This tag would indicate that no "live" elements of HTML be supported (e.g., JavaScript, VBScript, embed, object).I'm not sure if that's the best solution. Lots of code out there do much less filtering than it should, so there will probably be a way to include a </dead> tag and then use all the usual XSS tricks.
Amending Justin's suggestion to _require_ a parameter would likely be sufficient: <dead uniq="7f7a2eb8d3adde08f37f22645cb2853e"> [insert nasty javascript, XSS, etc] </dead uniq="7f7a2eb8d3adde08f37f22645cb2853e"> If the two tags don't match, the browser continues to enforce the 'dead' sections of code. Any browser supporting such a dead tag could similarly require the matching uniqueness tag -- since we are inventing such a tag, browsers implementing it have a chance to get it correct. :) (Of course, any content that supplies static tags is doomed -- the uniquness tags need to be random enough to prevent guessing by a dedicated attacker -- or at least sufficiently random to require attackers to be dedicated.) -- http://immunix.org/
Attachment:
_bin
Description:
Current thread:
- A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 05)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 05)
- Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks David Wagner (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Justin King (Nov 09)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- RE: A technique to mitigate cookie-stealing XSS attacks jasonk (Nov 12)
- Re: A technique to mitigate cookie-stealing XSS attacks Seth Arnold (Nov 14)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- <Possible follow-ups>
- Re: A technique to mitigate cookie-stealing XSS attacks Matthew Collins (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Nick Simicich (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Peter Watkins (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Steven M. Christey (Nov 08)
- RE: A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 08)
- RE: A technique to mitigate cookie-stealing XSS attacks NESTING, DAVID M (SBCSI) (Nov 09)
- RE: A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 11)
- Re: A technique to mitigate cookie-stealing XSS attacks Jeremiah Grossman (Nov 11)
- RE: A technique to mitigate cookie-stealing XSS attacks Jason Coombs (Nov 12)
- RE: A technique to mitigate cookie-stealing XSS attacks Steven M. Christey (Nov 13)
(Thread continues...)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 05)