RE: A technique to mitigate cookie-stealing XSS attacks

["jasonk" <jasonk () swin edu au>]

> -----Original Message-----
> From: Ulf Harnhammar [mailto:ulfh () update uu se]
> Sent: Sunday, 10 November 2002 2:22 PM
> To: Justin King
> Subject: Re: A technique to mitigate cookie-stealing XSS attacks
>
> On Thu, 7 Nov 2002, Justin King wrote:
>
> > I would be very interested in major browsers supporting a <dead> tag
> with an
> > optional parameter to be a hash of the data between the opening and
> closing
> > dead tag. This tag would indicate that no "live" elements of HTML be
> > supported (e.g., JavaScript, VBScript, embed, object).
>
> I'm not sure if that's the best solution. Lots of code out there do
much
> less filtering than it should, so there will probably be a way to
include
> a </dead> tag and then use all the usual XSS tricks.

I'm not sure it's the best solution either: how many of you have used
code such as <a href='javascript:...'> and so on ?

It's not going to be as easy as it looks - of course if you don't use
javascript AT ALL then sure, but many sites use javascript rollovers and
so on.  We need a more effective response than this.  Since javascript
(and other client side scripting technologies) are becoming more popular
and functional, it seems like imho the 'best' alternative is the
cookie-blocking approach.  This would stop the *effect* of XSS, much the
same as blocking user privileges doesn't stop them running malware but
prevents them from having an effect.

jasonk

> // Ulf Harnhammar
>    VSU Security
>    ulfh () update uu se