Bugtraq mailing list archives
RE: A technique to mitigate cookie-stealing XSS attacks
From: "Michael Howard" <mikehow () microsoft com>
Date: Mon, 11 Nov 2002 10:59:48 -0800
This new HTTPOnly security feature would simply stop cookie hijacking
via document.cookie. Nothing else. Which is good, but important to know the limitations and the risks. Actually, the change is not in IE - it's lower-level in WinInet, which IE uses. So any app that uses document.cookie, or, say, InternetGetCookie, will see an empty string in the cookie is marked HttpOnly. Cheers, Michael Secure Windows Initiative Writing Secure Code http://www.microsoft.com/mspress/books/5612.asp -----Original Message----- From: Jeremiah Grossman [mailto:jeremiah () whitehatsec com] Sent: Monday, November 11, 2002 10:20 AM To: Michael Howard Cc: bugtraq () securityfocus com Subject: Re: A technique to mitigate cookie-stealing XSS attacks First, I'd like to thank the "Microsoft Internet Explorer Team" for instituting some level of security to thwart the plague that is XSS. Sure it might not be a solution for everyone in all instances, but what is. Small steps to find better solutions, use what you have where you can. However, I'd like to point out that this security feature does not help prevent disclosure of information to third-parties that JS/VB (and more) have access to. (Highly browser dependent of course.) Client-Side languages have been seen to have access to information regarding Plugin's, User-Agent's, History, Cache, IP/Hostname, Screen Size/Resolution, Machine Type, OS-Type, etc etc etc. This information can quite easily be passed off-domain to third-parties. This new HTTPOnly security feature would simply stop cookie hijacking via document.cookie. Nothing else. Which is good, but important to know the limitations and the risks.
From a user standpoint, I'd like to see my browsers give me the ability
to assess my own client-side scripting DOM restrictions on a domain per domain, site by site basis. The ability to give site the minimum DOM access as possible for desired functionality. Mozilla already has some form of this. This might be a bit more than a normal user can handle, but this is why we have defaults. Jeremiah Grossman WhiteHat Security, Inc. On Tue, 2002-11-05 at 10:44, Michael Howard wrote:
During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet Explorer team devised a method to reduce the risk of cookie-stealing attacks via XSS vulnerabilities. In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a trailing HttpOnly (case insensitive) it will return an empty string to the browser when accessed from script, such as by using document.cookie. Obviously, the server must add this option to all outgoing cookies. Note, this does _not fix_ XSS bugs in server code; it only helps reduce the potential damage from cookie disclosure threats. Nothing more. Think of it as a very small insurance policy! A full write-up outlining the HttpOnly flag, as well as source code to
set this option, is at http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp . Cheers, Michael Howard Secure Windows Initiative Microsoft Corp. Writing Secure Code http://www.microsoft.com/mspress/books/5612.asp
Current thread:
- Re: A technique to mitigate cookie-stealing XSS attacks, (continued)
- Re: A technique to mitigate cookie-stealing XSS attacks Justin King (Nov 09)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- RE: A technique to mitigate cookie-stealing XSS attacks jasonk (Nov 12)
- Re: A technique to mitigate cookie-stealing XSS attacks Seth Arnold (Nov 14)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- Re: A technique to mitigate cookie-stealing XSS attacks Matthew Collins (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Nick Simicich (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Peter Watkins (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Steven M. Christey (Nov 08)
- RE: A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 08)
- RE: A technique to mitigate cookie-stealing XSS attacks NESTING, DAVID M (SBCSI) (Nov 09)
- RE: A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 11)
- Re: A technique to mitigate cookie-stealing XSS attacks Jeremiah Grossman (Nov 11)
- RE: A technique to mitigate cookie-stealing XSS attacks Jason Coombs (Nov 12)
- RE: A technique to mitigate cookie-stealing XSS attacks Steven M. Christey (Nov 13)
- RE: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 15)
- RE: A technique to mitigate cookie-stealing XSS attacks Eric Stevens (Nov 15)
- Re: A technique to mitigate cookie-stealing XSS attacks Justin King (Nov 09)