Re: A technique to mitigate cookie-stealing XSS attacks

[Georgi Guninski <guninski () guninski com>]

Does "tru$tworthy computing" means "only helps reduce the potential damage from 
cookie disclosure threats. Nothing more."

Why the users at secure () microsoft com don't reply to real threats like:
http://lists.netsys.com/pipermail/full-disclosure/2002-September/001900.html
?

Georgi Guninski
http://www.guninski.com


Michael Howard wrote:
> During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet
> Explorer team devised a method to reduce the risk of cookie-stealing
> attacks via XSS vulnerabilities. 
> 	
> In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
> trailing HttpOnly (case insensitive) it will return an empty string to
> the browser when accessed from script, such as by using document.cookie.
>
>
> Obviously, the server must add this option to all outgoing cookies.
>
> Note, this does _not fix_ XSS bugs in server code; it only helps reduce
> the potential damage from cookie disclosure threats. Nothing more. Think
> of it as a very small insurance policy!
>
> A full write-up outlining the HttpOnly flag, as well as source code to
> set this option, is at
> http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp.
>
> Cheers, Michael Howard
> Secure Windows Initiative
> Microsoft Corp.
>
> Writing Secure Code 
> http://www.microsoft.com/mspress/books/5612.asp


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html