[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A technique to mitigate cookie-stealing XSS attacks

To: "Michael Howard" <mikehow@xxxxxxxxxxxxx>
Subject: Re: A technique to mitigate cookie-stealing XSS attacks
From: Florian Weimer <Weimer@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 05 Nov 2002 22:38:32 +0100
Delivered-to: mailing list bugtraq@xxxxxxxxxxxxxxxxx
Delivered-to: moderator for bugtraq@xxxxxxxxxxxxxxxxx
Delivery-date: Tue, 05 Nov 2002 22:45:53 +0100
Envelope-to: bugtraq@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <4B0F3B603558B44B9F4608630B4F641105356B68@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> ("Michael Howard"'s message of "Tue, 5 Nov 2002 10:44:24 -0800")
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <4B0F3B603558B44B9F4608630B4F641105356B68@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
User-agent: Gnus/5.090007 (Oort Gnus v0.07) Emacs/21.2 (i386-debian-linux-gnu)

"Michael Howard" <mikehow@xxxxxxxxxxxxx> writes:

> In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
> trailing HttpOnly (case insensitive) it will return an empty string to
> the browser when accessed from script, such as by using document.cookie.

What about HTTP headers which advise user agents to disable some
features, e.g. read/write access to the document or parts of it via
scripting or other Internet Explorer interfaces?

Is anybody interested in writing an Informational RFC on this topic?

-- 
Florian Weimer 	                  Weimer@xxxxxxxxxxxxxxxxxxxxx
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

Follow-Ups:
- Re: A technique to mitigate cookie-stealing XSS attacks
  - From: Valdis . Kletnieks
- Re: A technique to mitigate cookie-stealing XSS attacks
  - From: David Wagner

References:
- A technique to mitigate cookie-stealing XSS attacks
  - From: Michael Howard

Prev by Date: networking_utils.php
Next by Date: Bug in Monkey Webserver 0.5.0 or minors versions
Previous by thread: A technique to mitigate cookie-stealing XSS attacks
Next by thread: Re: A technique to mitigate cookie-stealing XSS attacks
Index(es):
- Date
- Thread