The site's back as of a few minutes ago. (Apologies for interruption, everyone; migrating to github has been a bit rocky.)
-- Jorj On Feb 18, 2015, at 5:28 AM, LEE Geoffrey <g....@ed.ac.uk> wrote: > Hi Folks, > > I recently noticed a few things while auditing one of our web applications > for XSS vulnerabilities. > > 1. The Cosign filter in version 3.2 supports setting the HttpOnly flag on > service cookies > 2. This option isn't documented anywhere I can find (though it's mentioned in > the release notes) [1] > 3. It's not enabled by default > > Given that stealing a user's service cookie via XSS provides an attacker with > the ability to log into $service for as long as that user's cosign session is > active, is there any reason why this feature is not enabled by default in the > filter and server? > > Is the lack of documentation a bug, or is the feature not considered complete > for some reason? > > Thanks for any clarification - if a bug report would be more > useful/appropriate I'll submit one as soon as the site comes back :-) > > -geoff > > > 1. Readable on > http://sourceforge.net/projects/cosign/files/cosign/cosign-3.2.0/ > ___________________________________ > * NB: I do not work Wednesday PM * > > Geoff Lee <g....@ed.ac.uk> > Senior Computing Officer > Edinburgh College of Art > University of Edinburgh > Hunter Building, > Lauriston Place, > Edinburgh, Scotland, > EH8 9DF > Tel: +44 (0)131 650 2341 > Twitter: @eca_it > ___________________________________ > > > > -- > The University of Edinburgh is a charitable body, registered in > Scotland, with registration number SC005336. > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > _______________________________________________ > Cosign-discuss mailing list > Cosign-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/cosign-discuss ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss