Bugtraq mailing list archives

Re: A technique to mitigate cookie-stealing XSS attacks

From: Peter Watkins <peterw () usa net>
Date: Fri, 8 Nov 2002 14:49:39 -0500

On Thu, Nov 07, 2002 at 11:50:03PM -0500, Nick Simicich wrote:

At 10:44 AM 2002-11-05 -0800, Michael Howard wrote:

During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet
Explorer team devised a method to reduce the risk of cookie-stealing
attacks via XSS vulnerabilities.

Has anyone looked at the impact of simply changing the default:  Do not 
allow cookies to be accessed from javascript unless they were set from 
javascript in the first place, or have a trailing jscript on any cookie 
that *should* be returned by document.cookie.

The only thing that breaks is the subset who set a cookie with the 
set-cookie header who then want to access the cookie with javascript, and 
as others note, that just is not done much.


It would break a fair bit of code at my employer's site, things like 
logout buttons that are displayed if the user appears to be logged in 
(better to let the client burn those cycles than the server), etc. This 
will allow us to flag the session-authenticating cookies as HTTP-only 
while leaving the session-identifying cookies available to scripts.

Most importantly, your suggestion would break applications that are safely 
written. 

Counter-argument: the IE team's HttpOnly approach can be adopted now, 
without breaking any existing apps. Maybe it's not as good as the
denied-unless-allowed model you suggest, but it's better than the current 
anything-goes status quo.

Note, this does _not fix_ XSS bugs in server code; it only helps reduce
the potential damage from cookie disclosure threats. Nothing more. Think
of it as a very small insurance policy!


And a very welcome one; many thanks to Microsoft for implementing, and the 
Bugtraq folks for approving the post describing the feature.

This mechanism has been suggested as a feature enhancement to the Open 
Source Mozilla browser; interested parties can read details (and vote if 
you like the idea) at

http://bugzilla.mozilla.org/show_bug.cgi?id=178993

-Peter

-- 
Peter Watkins - peterw () tux org - peterw () usa net - http://www.tux.org/~peterw/ 
Private personal mail: use PGP key F4F397A8; more sensitive data? Use 2D123692

Attachment: _bin
Description:

Current thread:

Re: A technique to mitigate cookie-stealing XSS attacks, (continued)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 05)
  - Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
    - Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 08)
  - Re: A technique to mitigate cookie-stealing XSS attacks David Wagner (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Justin King (Nov 09)
  - Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
    - RE: A technique to mitigate cookie-stealing XSS attacks jasonk (Nov 12)
    - Re: A technique to mitigate cookie-stealing XSS attacks Seth Arnold (Nov 14)
- Re: A technique to mitigate cookie-stealing XSS attacks Matthew Collins (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Nick Simicich (Nov 08)
  - Re: A technique to mitigate cookie-stealing XSS attacks Peter Watkins (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Steven M. Christey (Nov 08)
- RE: A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 08)
- RE: A technique to mitigate cookie-stealing XSS attacks NESTING, DAVID M (SBCSI) (Nov 09)
- RE: A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 11)
- Re: A technique to mitigate cookie-stealing XSS attacks Jeremiah Grossman (Nov 11)
  - RE: A technique to mitigate cookie-stealing XSS attacks Jason Coombs (Nov 12)
- RE: A technique to mitigate cookie-stealing XSS attacks Steven M. Christey (Nov 13)
  - RE: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 15)
  - RE: A technique to mitigate cookie-stealing XSS attacks Eric Stevens (Nov 15)