Re: A technique to mitigate cookie-stealing XSS attacks

["Steven M. Christey" <coley () linus mitre org>]

For a small data point regarding the need to (somehow) address XSS
vulnerabilities: according to CVE statistics, XSS issues are the
second most frequently reported vulnerability type this year [1],
behind buffer overflows (though new "flavors" of overflows help to
maintain that #1 position.)  Note: this statistic includes both "HTML
injection" into web pages as well as "classic" XSS by tampering with
links (some researchers use the "XSS" term in a link context only),
but it only includes XSS in distributed software, not custom
applications for single-site web services.

While it may take web browsers some time to implement safeguarding
measures such as 'httponly' tags, it no longer seems like heresy to
suggest that entire classes of vulnerabilities could be mitigated by
protecting programmers against themselves wherever possible, and by
default.  Unless/until such safeguards are consistently available at
the OS, hardware, and programming language level, "advisory"
capabilities such as 'httponly' tags could be another useful component
of a defense-in-depth strategy.

- Steve


[1] as reported at the Open Source Security Summit, October 29, 2002