Re: A technique to mitigate cookie-stealing XSS attacks

["Matthew Collins" <Matthew.Collins () northernregistrars co uk>]

This seems the wrong way round to me.
After all, how often do you access cookies from client side code?
Personally, I've never done it.
I would have IE disallow all access to cookies from scripts, unless
either, it's disabled in security options (Allow scripts to access
cookies) or the server passes an extension to the browser.
; Scriptable;
That way you don't have to change code for your web applications,
unless you need scripts on your site to have access to cookies. You can
make your browser instantly a lot safer against XSS attacks on all sites
you go to, rather than relying on the coder to set this flag. If you
could rely on the programmer to get it right, you wouldn't have to worry
about XSS attacks anyway would you?

> > > "Michael Howard" <mikehow () microsoft com> 05/11/02 18:44:24 >>>
During the Windows Security Push in Feb/Mar 2002, the Microsoft
Internet
Explorer team devised a method to reduce the risk of cookie-stealing
attacks via XSS vulnerabilities. 
        
In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has
a
trailing HttpOnly (case insensitive) it will return an empty string to
the browser when accessed from script, such as by using
document.cookie.


Obviously, the server must add this option to all outgoing cookies.

Note, this does _not fix_ XSS bugs in server code; it only helps
reduce
the potential damage from cookie disclosure threats. Nothing more.
Think
of it as a very small insurance policy!

A full write-up outlining the HttpOnly flag, as well as source code to
set this option, is at
http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp.

Cheers, Michael Howard
Secure Windows Initiative
Microsoft Corp.

Writing Secure Code 
http://www.microsoft.com/mspress/books/5612.asp


****************************************************************************************
This message and any attachments are confidential to the ordinary user of
the e-mail address to which it was addressed and may also be privileged.
If you are not the addressee you may not copy, forward, disclose or use 
any part of the message or its attachments and if you have received this
message in error, please notify the sender immediately by return e-mail and
delete it from your system.
Internet communications cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, arrive late or contain
viruses. The sender therefore does not accept liability for any errors or
omissions in the context of this message which arise as a result of Internet
transmission.
Northern Registrars Limited, Northern House, Woodsome Park, Fenay 
Bridge, Huddersfield. HD8 0LA.
Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
For more information visit our web site: http://www.northernregistrars.co.uk
****************************************************************************************