RES: A technique to mitigate cookie-stealing XSS attacks

[AQBARROS () BKB com br]

It is a very interesting idea, but it would take some years to start to take
effect, as non-compatible browsers would still be on the market for a few
years; Can't we find a solution that works on current browsers?

Initially, I thought about encrypting cookie content with a server based
key. But this key should have some browser-derived component, something that
changes from one browser/computer to another; IP is not practical, as the
client can be behind a cluster of proxies. Is there something that the
browser shows only to the server and not for the client-side scripts?

Let´s se if we can improve this idea,

Augusto.

-----Mensagem original-----
De: Florian Weimer [mailto:Weimer () CERT Uni-Stuttgart DE]
Enviada em: terça-feira, 5 de novembro de 2002 18:39
Para: Michael Howard
Assunto: Re: A technique to mitigate cookie-stealing XSS attacks


"Michael Howard" <mikehow () microsoft com> writes:

> In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
> trailing HttpOnly (case insensitive) it will return an empty string to
> the browser when accessed from script, such as by using document.cookie.

What about HTTP headers which advise user agents to disable some
features, e.g. read/write access to the document or parts of it via
scripting or other Internet Explorer interfaces?

Is anybody interested in writing an Informational RFC on this topic?

-- 
Florian Weimer                    Weimer () CERT Uni-Stuttgart DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898