Full Disclosure mailing list archives
Re: A technique to mitigate cookie-stealing XSS attacks
From: Georgi Guninski <guninski () guninski com>
Date: Wed, 06 Nov 2002 00:25:15 +0200
Does "tru$tworthy computing" means "only helps reduce the potential damage from cookie disclosure threats. Nothing more."
Why the users at secure () microsoft com don't reply to real threats like: http://lists.netsys.com/pipermail/full-disclosure/2002-September/001900.html ? Georgi Guninski http://www.guninski.com Michael Howard wrote:
During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet Explorer team devised a method to reduce the risk of cookie-stealingattacks via XSS vulnerabilities.In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a trailing HttpOnly (case insensitive) it will return an empty string to the browser when accessed from script, such as by using document.cookie. Obviously, the server must add this option to all outgoing cookies. Note, this does _not fix_ XSS bugs in server code; it only helps reduce the potential damage from cookie disclosure threats. Nothing more. Think of it as a very small insurance policy! A full write-up outlining the HttpOnly flag, as well as source code to set this option, is at http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp. Cheers, Michael Howard Secure Windows Initiative Microsoft Corp.Writing Secure Code http://www.microsoft.com/mspress/books/5612.asp
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: A technique to mitigate cookie-stealing XSS attacks Georgi Guninski (Nov 05)
- <Possible follow-ups>
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 09)