Bugtraq mailing list archives
Re: A technique to mitigate cookie-stealing XSS attacks
From: Valdis.Kletnieks () vt edu
Date: Wed, 06 Nov 2002 00:16:33 -0500
On Tue, 05 Nov 2002 22:38:32 +0100, Florian Weimer <Weimer () CERT Uni-Stuttgart DE> said:
What about HTTP headers which advise user agents to disable some features, e.g. read/write access to the document or parts of it via scripting or other Internet Explorer interfaces? Is anybody interested in writing an Informational RFC on this topic?
Pointless. It's one thing for a web browser to refuse to do something because it suspects that it has been asked something underhanded (for instance, to not give a cookie value to a script if it were tagged 'httponly'). It's something else for a server to try to restrict user agents that way. A well-behaved user agent won't need the hints, and a malicious one won't listen to them.... (Note - I'm talking here about a server trying to say "Thou Shalt Not Do XYZ" and expecting to be listened to - if anything, this is a big clue to the attacker that they should look for a way to try to do XYZ anyhow. That never works. On the other hand, there are *lots* of areas where *HINTS* (like the HTTP 'Expires' header) are quite valuable... Remember - we've seen enough Bugtraq postings about people who try to use hidden fields in an HTML document for security, and get it wrong... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
_bin
Description:
Current thread:
- A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 05)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 05)
- Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks David Wagner (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Justin King (Nov 09)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- RE: A technique to mitigate cookie-stealing XSS attacks jasonk (Nov 12)
- Re: A technique to mitigate cookie-stealing XSS attacks Seth Arnold (Nov 14)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- <Possible follow-ups>
- Re: A technique to mitigate cookie-stealing XSS attacks Matthew Collins (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Nick Simicich (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Peter Watkins (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Steven M. Christey (Nov 08)
(Thread continues...)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 05)