On Wed, 13 Nov 2002, Steven M. Christey wrote:
Being able to place arbitrary HTML into an intermediate web page is
dangerous for other reasons (this is sometimes called HTML
injection, but I view it as another flavor of XSS). For example,
this would allow attackers to use META-REFRESH style
On Sun, Nov 10, 2002 at 04:21:41AM +0100, Ulf Harnhammar wrote:
On Thu, 7 Nov 2002, Justin King wrote:
I would be very interested in major browsers supporting a dead tag with an
optional parameter to be a hash of the data between the opening and closing
dead tag. This tag would indicate
While this thread has been focused on scripting languages and cookie
theft, that's not the only issue to be concerned about with XSS.
Being able to place arbitrary HTML into an intermediate web page is
dangerous for other reasons (this is sometimes called HTML
injection, but I view it as another
-Original Message-
From: Ulf Harnhammar [mailto:ulfh;update.uu.se]
Sent: Sunday, 10 November 2002 2:22 PM
To: Justin King
Subject: Re: A technique to mitigate cookie-stealing XSS attacks
On Thu, 7 Nov 2002, Justin King wrote:
I would be very interested in major browsers
[mailto:jeremiah;whitehatsec.com]
Sent: Monday, November 11, 2002 8:20 AM
To: Michael Howard
Subject: Re: A technique to mitigate cookie-stealing XSS attacks
First, I'd like to thank the Microsoft Internet Explorer Team for
instituting some level of security to thwart the plague that is XSS.
Sure it might
, November 11, 2002 10:20 AM
To: Michael Howard
Cc: [EMAIL PROTECTED]
Subject: Re: A technique to mitigate cookie-stealing XSS attacks
First, I'd like to thank the Microsoft Internet Explorer Team for
instituting some level of security to thwart the plague that is XSS.
Sure it might not be a solution
On Thu, 7 Nov 2002, Justin King wrote:
I would be very interested in major browsers supporting a dead tag with an
optional parameter to be a hash of the data between the opening and closing
dead tag. This tag would indicate that no live elements of HTML be
supported (e.g., JavaScript,
At 10:44 AM 2002-11-05 -0800, Michael Howard wrote:
During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet
Explorer team devised a method to reduce the risk of cookie-stealing
attacks via XSS vulnerabilities.
If I understand the XSS vulnerability correctly, it is all based
[EMAIL PROTECTED] writes:
On Tue, 05 Nov 2002 22:38:32 +0100, Florian Weimer [EMAIL PROTECTED]
said:
What about HTTP headers which advise user agents to disable some
features, e.g. read/write access to the document or parts of it via
scripting or other Internet Explorer interfaces?
Is
For a small data point regarding the need to (somehow) address XSS
vulnerabilities: according to CVE statistics, XSS issues are the
second most frequently reported vulnerability type this year [1],
behind buffer overflows (though new flavors of overflows help to
maintain that #1 position.) Note:
On Thu, Nov 07, 2002 at 11:50:03PM -0500, Nick Simicich wrote:
At 10:44 AM 2002-11-05 -0800, Michael Howard wrote:
During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet
Explorer team devised a method to reduce the risk of cookie-stealing
attacks via XSS vulnerabilities.
Florian Weimer wrote:
What about HTTP headers which advise user agents to disable some
features, e.g. read/write access to the document or parts of it via
scripting or other Internet Explorer interfaces?
HTTP headers are arguably the wrong place, but it might make sense to
have a NOSCRIPTS tag
Initiative
Writing Secure Code
http://www.microsoft.com/mspress/books/5612.asp
-Original Message-
From: Justin King [mailto:justin;othius.com]
Sent: Thursday, November 07, 2002 12:27 PM
To: [EMAIL PROTECTED]
Cc: Michael Howard
Subject: Re: A technique to mitigate cookie-stealing XSS attacks
I
On Tue, 05 Nov 2002 22:38:32 +0100, Florian Weimer [EMAIL PROTECTED]
said:
What about HTTP headers which advise user agents to disable some
features, e.g. read/write access to the document or parts of it via
scripting or other Internet Explorer interfaces?
Is anybody interested in writing
During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet
Explorer team devised a method to reduce the risk of cookie-stealing
attacks via XSS vulnerabilities.
In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
trailing HttpOnly (case insensitive) it
Michael Howard [EMAIL PROTECTED] writes:
In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
trailing HttpOnly (case insensitive) it will return an empty string to
the browser when accessed from script, such as by using document.cookie.
What about HTTP headers which advise
16 matches
Mail list logo