Re: Question regarding CVE applicability of missing HttpOnly flag

["Vincent Danen" <vdanen () redhat com>]

On 06/27/2014, at 21:23 PM, cve-assign () mitre org wrote:

> You quoted two paragraphs on the topic of whether system-integration
> issues are covered by CVE and CWE, and then wrote "shouldn't the same
> be true of the HttpOnly flag?" It's unclear how to answer except by
> saying: a decision to use or not use the HttpOnly flag isn't a
> system-integration issue.
>
> You then mentioned 'if setting this flag "fixes" all XSS issues.' It
> seems that a reasonable response here is: an XSS attack can have a
> severe impact even if it's not designed to steal any cookies. (The
> non-cookie-stealing severity varies, in part, based on the types of
> input that are common for the web application in question.) The
> HttpOnly flag is specific to cookies.
>
> Finally, you mentioned "They can't _both_ get CVEs" - a question that
> seems to be about a superfluous CVE assignment in a case where the
> only goal of an XSS attack is to steal a cookie, and the attack relies
> on an XSS vulnerability in a certain web application that doesn't set
> the HttpOnly flag. A response here is: there could be a scenario that
> ended up with a single CVE assignment for a composite of one specific
> instance of incorrect input validation and an incorrect cookie
> restriction. This scenario seems rare. It would require that neither
> issue was dangerous except in the presence of the other issue. For
> example, it would require that the only possible impact of the
> incorrect input validation was to pass JavaScript code that could
> steal cookies (any other malicious JavaScript code would be blocked).
> In most practical cases, two CVE assignments would often be possible
> if someone happened to request two.

Ahhh... ok, this makes more sense.  Thank you!



-- 
Vincent Danen / Red Hat Product Security

Attachment: signature.asc
Description: OpenPGP digital signature