Re: A technique to mitigate cookie-stealing XSS attacks

[Valdis.Kletnieks () vt edu]

On Tue, 05 Nov 2002 22:38:32 +0100, Florian Weimer <Weimer () CERT Uni-Stuttgart DE>  said:

> What about HTTP headers which advise user agents to disable some
> features, e.g. read/write access to the document or parts of it via
> scripting or other Internet Explorer interfaces?
>
> Is anybody interested in writing an Informational RFC on this topic?

Pointless.

It's one thing for a web browser to refuse to do something because it suspects
that it has been asked something underhanded (for instance, to not give a
cookie value to a script if it were tagged 'httponly').

It's something else for a server to try to restrict user agents that way.
A well-behaved user agent won't need the hints, and a malicious one won't
listen to them....

(Note - I'm talking here about a server trying to say "Thou Shalt Not Do
XYZ" and expecting to be listened to - if anything, this is a big clue to
the attacker that they should look for a way to try to do XYZ anyhow.  That
never works.  On the other hand, there are *lots* of areas where *HINTS*
(like the HTTP 'Expires' header) are quite valuable...

Remember - we've seen enough Bugtraq postings about people who try to use
hidden fields in an HTML document for security, and get it wrong...
-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description: