| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3DC8454B.9010107@guninski.com> From: guninski at guninski.com (Georgi Guninski) Subject: Re: A technique to mitigate cookie-stealing XSS attacks Does "tru$tworthy computing" means "only helps reduce the potential damage from cookie disclosure threats. Nothing more." Why the users at secure@...rosoft.com don't reply to real threats like: http://lists.netsys.com/pipermail/full-disclosure/2002-September/001900.html ? Georgi Guninski http://www.guninski.com Michael Howard wrote: > During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet > Explorer team devised a method to reduce the risk of cookie-stealing > attacks via XSS vulnerabilities. > > In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a > trailing HttpOnly (case insensitive) it will return an empty string to > the browser when accessed from script, such as by using document.cookie. > > > Obviously, the server must add this option to all outgoing cookies. > > Note, this does _not fix_ XSS bugs in server code; it only helps reduce > the potential damage from cookie disclosure threats. Nothing more. Think > of it as a very small insurance policy! > > A full write-up outlining the HttpOnly flag, as well as source code to > set this option, is at > http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp. > > Cheers, Michael Howard > Secure Windows Initiative > Microsoft Corp. > > Writing Secure Code > http://www.microsoft.com/mspress/books/5612.asp > >
Powered by blists - more mailing lists