Bugtraq mailing list archives
RES: A technique to mitigate cookie-stealing XSS attacks
From: AQBARROS () BKB com br
Date: Wed, 6 Nov 2002 10:09:33 -0300
It is a very interesting idea, but it would take some years to start to take effect, as non-compatible browsers would still be on the market for a few years; Can't we find a solution that works on current browsers? Initially, I thought about encrypting cookie content with a server based key. But this key should have some browser-derived component, something that changes from one browser/computer to another; IP is not practical, as the client can be behind a cluster of proxies. Is there something that the browser shows only to the server and not for the client-side scripts? Let´s se if we can improve this idea, Augusto. -----Mensagem original----- De: Florian Weimer [mailto:Weimer () CERT Uni-Stuttgart DE] Enviada em: terça-feira, 5 de novembro de 2002 18:39 Para: Michael Howard Assunto: Re: A technique to mitigate cookie-stealing XSS attacks "Michael Howard" <mikehow () microsoft com> writes:
In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a trailing HttpOnly (case insensitive) it will return an empty string to the browser when accessed from script, such as by using document.cookie.
What about HTTP headers which advise user agents to disable some features, e.g. read/write access to the document or parts of it via scripting or other Internet Explorer interfaces? Is anybody interested in writing an Informational RFC on this topic? -- Florian Weimer Weimer () CERT Uni-Stuttgart DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898
Current thread:
- RES: A technique to mitigate cookie-stealing XSS attacks AQBARROS (Nov 07)
- Re: RES: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 08)