oss-sec mailing list archives
Re: Re: Question regarding CVE applicability of missing HttpOnly flag
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 26 Jun 2014 00:31:54 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My thought on this: security lines move, e.g. with crypto certain algorithms are no longer sufficient (e.g. DES), they are essentially the same as no crypto when put up against modern hardware. So with web cookies they are often used as authentication tokens (the alternative is in URL which has it's own list of problems, or form values/etc.), I would hazard to say the vast majority of all web based authentication uses cookies (I've never run into widely used certificate based or other options). Also web sites have changed, no longer static sites or "simple" CGI based sites, you pretty much always use a framework, sometimes hosting your framework within a lower level framework. Or you write custom code, whatever. The point is this stuff has XSS flaws all over the place, it's more the rule then the exception. So with widespread XSS in mind, I think it's safe to say that virtually every web site (even sites that care deeply and spend time/money and have bug bounties) have lurking XSS flaws, which if HTTPOnly is not used can result in cookie theft. So in my mind HTTPOnly isn't an option any more, but a requirement, ergo in most situations no HTTPOnly = win a CVE. Evidence: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=XSS - -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTq75aAAoJEBYNRVNeJnmT+iIQAJAQiftwQuLzzATCDczuHnZM MRCoImsrdNjBFTNQ584biZn5AGmiFS5QcGHPYs7uCiCKYNOEJwekafl/kqtigcll wbfBt/vx2hx/bo9B/zyDS6/1F0Vn6lUxzDJpOcikpN72VI0VJCdwA454jK+KVEG2 1ZBBGgMCH92qszG2piem4yQO2BRilEWY5Vi/Qg49vrXFr9KneFCN5FulvRG9469t g5qK0/uhgJvypEF51RiuCpUgnbdYH2vsJxI825tzK33iRpoIkVo9mbtpD3z+7LzY FJSF9XHC1LIQ3210hQoJgG5hEUJdXC8VZizcw1dr+CGSoahzpsjvA8SlQKtlWBH5 iasgS6jbBD/0CJtO63NZ/CFdJibC/5BliFN70x+j6Y0qWCwdf3Z7MyM9uDR0/4mz 81EMNo4r+1SF3xJX0jvKEIbFCLBA8GhTgDFmi/KaK+7Na+hL7kjyQN1FFT85+EKN DhjnGWu/8ns3lAz3Hw3tAI5K1O5IdjOvWIqhlevi5ml0iczcFg+tSG6xo6yxiSC5 gOboOYjEQ+S+GnRh4UWLRB+N63Mt9RZFw1Ooza92BrzzasRXN7OQJ8DK0chTeBGi 6y1aatKCVYtkED5BX3hBpk79h1GJLGk595n+KBkg/dn/Il/YQpbkBpfSextFRehy 83cS60qovyFZXn26qXie =65A0 -----END PGP SIGNATURE-----
Current thread:
- Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 25)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Murray McAllister (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Henri Salo (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Murray McAllister (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Vladimir '3APA3A' Dubrovin (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Florian Weimer (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Jamie Strandboge (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 27)