RE: A technique to mitigate cookie-stealing XSS attacks

On Wed, 13 Nov 2002, Steven M. Christey wrote: Being able to place arbitrary HTML into an intermediate web page is dangerous for other reasons (this is sometimes called HTML injection, but I view it as another flavor of XSS). For example, this would allow attackers to use META-REFRESH style

Re: A technique to mitigate cookie-stealing XSS attacks

On Sun, Nov 10, 2002 at 04:21:41AM +0100, Ulf Harnhammar wrote: On Thu, 7 Nov 2002, Justin King wrote: I would be very interested in major browsers supporting a dead tag with an optional parameter to be a hash of the data between the opening and closing dead tag. This tag would indicate

RE: A technique to mitigate cookie-stealing XSS attacks

While this thread has been focused on scripting languages and cookie theft, that's not the only issue to be concerned about with XSS. Being able to place arbitrary HTML into an intermediate web page is dangerous for other reasons (this is sometimes called HTML injection, but I view it as another

RE: A technique to mitigate cookie-stealing XSS attacks

-Original Message- From: Ulf Harnhammar [mailto:ulfh;update.uu.se] Sent: Sunday, 10 November 2002 2:22 PM To: Justin King Subject: Re: A technique to mitigate cookie-stealing XSS attacks On Thu, 7 Nov 2002, Justin King wrote: I would be very interested in major browsers

RE: A technique to mitigate cookie-stealing XSS attacks

[mailto:jeremiah;whitehatsec.com] Sent: Monday, November 11, 2002 8:20 AM To: Michael Howard Subject: Re: A technique to mitigate cookie-stealing XSS attacks First, I'd like to thank the Microsoft Internet Explorer Team for instituting some level of security to thwart the plague that is XSS. Sure it might

RE: A technique to mitigate cookie-stealing XSS attacks

, November 11, 2002 10:20 AM To: Michael Howard Cc: [EMAIL PROTECTED] Subject: Re: A technique to mitigate cookie-stealing XSS attacks First, I'd like to thank the Microsoft Internet Explorer Team for instituting some level of security to thwart the plague that is XSS. Sure it might not be a solution

Re: A technique to mitigate cookie-stealing XSS attacks

On Thu, 7 Nov 2002, Justin King wrote: I would be very interested in major browsers supporting a dead tag with an optional parameter to be a hash of the data between the opening and closing dead tag. This tag would indicate that no live elements of HTML be supported (e.g., JavaScript,

Re: A technique to mitigate cookie-stealing XSS attacks

At 10:44 AM 2002-11-05 -0800, Michael Howard wrote: During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet Explorer team devised a method to reduce the risk of cookie-stealing attacks via XSS vulnerabilities. If I understand the XSS vulnerability correctly, it is all based

Re: A technique to mitigate cookie-stealing XSS attacks

[EMAIL PROTECTED] writes: On Tue, 05 Nov 2002 22:38:32 +0100, Florian Weimer [EMAIL PROTECTED] said: What about HTTP headers which advise user agents to disable some features, e.g. read/write access to the document or parts of it via scripting or other Internet Explorer interfaces? Is

Re: A technique to mitigate cookie-stealing XSS attacks

For a small data point regarding the need to (somehow) address XSS vulnerabilities: according to CVE statistics, XSS issues are the second most frequently reported vulnerability type this year [1], behind buffer overflows (though new flavors of overflows help to maintain that #1 position.) Note:

Re: A technique to mitigate cookie-stealing XSS attacks

On Thu, Nov 07, 2002 at 11:50:03PM -0500, Nick Simicich wrote: At 10:44 AM 2002-11-05 -0800, Michael Howard wrote: During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet Explorer team devised a method to reduce the risk of cookie-stealing attacks via XSS vulnerabilities.

Re: A technique to mitigate cookie-stealing XSS attacks

Florian Weimer wrote: What about HTTP headers which advise user agents to disable some features, e.g. read/write access to the document or parts of it via scripting or other Internet Explorer interfaces? HTTP headers are arguably the wrong place, but it might make sense to have a NOSCRIPTS tag

RE: A technique to mitigate cookie-stealing XSS attacks

Initiative Writing Secure Code http://www.microsoft.com/mspress/books/5612.asp -Original Message- From: Justin King [mailto:justin;othius.com] Sent: Thursday, November 07, 2002 12:27 PM To: [EMAIL PROTECTED] Cc: Michael Howard Subject: Re: A technique to mitigate cookie-stealing XSS attacks I

Re: A technique to mitigate cookie-stealing XSS attacks

On Tue, 05 Nov 2002 22:38:32 +0100, Florian Weimer [EMAIL PROTECTED] said: What about HTTP headers which advise user agents to disable some features, e.g. read/write access to the document or parts of it via scripting or other Internet Explorer interfaces? Is anybody interested in writing

A technique to mitigate cookie-stealing XSS attacks

During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet Explorer team devised a method to reduce the risk of cookie-stealing attacks via XSS vulnerabilities. In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a trailing HttpOnly (case insensitive) it

Re: A technique to mitigate cookie-stealing XSS attacks

Michael Howard [EMAIL PROTECTED] writes: In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a trailing HttpOnly (case insensitive) it will return an empty string to the browser when accessed from script, such as by using document.cookie. What about HTTP headers which advise