Hi Folks, I recently noticed a few things while auditing one of our web applications for XSS vulnerabilities.
1. The Cosign filter in version 3.2 supports setting the HttpOnly flag on service cookies 2. This option isn't documented anywhere I can find (though it's mentioned in the release notes) [1] 3. It's not enabled by default Given that stealing a user's service cookie via XSS provides an attacker with the ability to log into $service for as long as that user's cosign session is active, is there any reason why this feature is not enabled by default in the filter and server? Is the lack of documentation a bug, or is the feature not considered complete for some reason? Thanks for any clarification - if a bug report would be more useful/appropriate I'll submit one as soon as the site comes back :-) -geoff 1. Readable on http://sourceforge.net/projects/cosign/files/cosign/cosign-3.2.0/ ___________________________________ * NB: I do not work Wednesday PM * Geoff Lee <g....@ed.ac.uk> Senior Computing Officer Edinburgh College of Art University of Edinburgh Hunter Building, Lauriston Place, Edinburgh, Scotland, EH8 9DF Tel: +44 (0)131 650 2341 Twitter: @eca_it ___________________________________ -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss