Bugtraq mailing list archives
Re: A technique to mitigate cookie-stealing XSS attacks
From: "Steven M. Christey" <coley () linus mitre org>
Date: Fri, 8 Nov 2002 03:18:48 -0500 (EST)
For a small data point regarding the need to (somehow) address XSS vulnerabilities: according to CVE statistics, XSS issues are the second most frequently reported vulnerability type this year [1], behind buffer overflows (though new "flavors" of overflows help to maintain that #1 position.) Note: this statistic includes both "HTML injection" into web pages as well as "classic" XSS by tampering with links (some researchers use the "XSS" term in a link context only), but it only includes XSS in distributed software, not custom applications for single-site web services. While it may take web browsers some time to implement safeguarding measures such as 'httponly' tags, it no longer seems like heresy to suggest that entire classes of vulnerabilities could be mitigated by protecting programmers against themselves wherever possible, and by default. Unless/until such safeguards are consistently available at the OS, hardware, and programming language level, "advisory" capabilities such as 'httponly' tags could be another useful component of a defense-in-depth strategy. - Steve [1] as reported at the Open Source Security Summit, October 29, 2002
Current thread:
- Re: A technique to mitigate cookie-stealing XSS attacks, (continued)
- Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks David Wagner (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Justin King (Nov 09)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- RE: A technique to mitigate cookie-stealing XSS attacks jasonk (Nov 12)
- Re: A technique to mitigate cookie-stealing XSS attacks Seth Arnold (Nov 14)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- Re: A technique to mitigate cookie-stealing XSS attacks Matthew Collins (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Nick Simicich (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Peter Watkins (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Steven M. Christey (Nov 08)
- RE: A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 08)
- RE: A technique to mitigate cookie-stealing XSS attacks NESTING, DAVID M (SBCSI) (Nov 09)
- RE: A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 11)
- Re: A technique to mitigate cookie-stealing XSS attacks Jeremiah Grossman (Nov 11)
- RE: A technique to mitigate cookie-stealing XSS attacks Jason Coombs (Nov 12)
- RE: A technique to mitigate cookie-stealing XSS attacks Steven M. Christey (Nov 13)
- RE: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 15)
- RE: A technique to mitigate cookie-stealing XSS attacks Eric Stevens (Nov 15)