Bugtraq mailing list archives
Re: A technique to mitigate cookie-stealing XSS attacks
From: Peter Watkins <peterw () usa net>
Date: Fri, 8 Nov 2002 14:49:39 -0500
On Thu, Nov 07, 2002 at 11:50:03PM -0500, Nick Simicich wrote:
At 10:44 AM 2002-11-05 -0800, Michael Howard wrote:During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet Explorer team devised a method to reduce the risk of cookie-stealing attacks via XSS vulnerabilities.
Has anyone looked at the impact of simply changing the default: Do not allow cookies to be accessed from javascript unless they were set from javascript in the first place, or have a trailing jscript on any cookie that *should* be returned by document.cookie.
The only thing that breaks is the subset who set a cookie with the set-cookie header who then want to access the cookie with javascript, and as others note, that just is not done much.
It would break a fair bit of code at my employer's site, things like logout buttons that are displayed if the user appears to be logged in (better to let the client burn those cycles than the server), etc. This will allow us to flag the session-authenticating cookies as HTTP-only while leaving the session-identifying cookies available to scripts. Most importantly, your suggestion would break applications that are safely written. Counter-argument: the IE team's HttpOnly approach can be adopted now, without breaking any existing apps. Maybe it's not as good as the denied-unless-allowed model you suggest, but it's better than the current anything-goes status quo.
Note, this does _not fix_ XSS bugs in server code; it only helps reduce the potential damage from cookie disclosure threats. Nothing more. Think of it as a very small insurance policy!
And a very welcome one; many thanks to Microsoft for implementing, and the Bugtraq folks for approving the post describing the feature. This mechanism has been suggested as a feature enhancement to the Open Source Mozilla browser; interested parties can read details (and vote if you like the idea) at http://bugzilla.mozilla.org/show_bug.cgi?id=178993 -Peter -- Peter Watkins - peterw () tux org - peterw () usa net - http://www.tux.org/~peterw/ Private personal mail: use PGP key F4F397A8; more sensitive data? Use 2D123692
Attachment:
_bin
Description:
Current thread:
- Re: A technique to mitigate cookie-stealing XSS attacks, (continued)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 05)
- Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks David Wagner (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Justin King (Nov 09)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- RE: A technique to mitigate cookie-stealing XSS attacks jasonk (Nov 12)
- Re: A technique to mitigate cookie-stealing XSS attacks Seth Arnold (Nov 14)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- Re: A technique to mitigate cookie-stealing XSS attacks Matthew Collins (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Nick Simicich (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Peter Watkins (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Steven M. Christey (Nov 08)
- RE: A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 08)
- RE: A technique to mitigate cookie-stealing XSS attacks NESTING, DAVID M (SBCSI) (Nov 09)
- RE: A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 11)
- Re: A technique to mitigate cookie-stealing XSS attacks Jeremiah Grossman (Nov 11)
- RE: A technique to mitigate cookie-stealing XSS attacks Jason Coombs (Nov 12)
- RE: A technique to mitigate cookie-stealing XSS attacks Steven M. Christey (Nov 13)
- RE: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 15)
- RE: A technique to mitigate cookie-stealing XSS attacks Eric Stevens (Nov 15)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 05)