Home page logo

bugtraq logo Bugtraq mailing list archives

Re: A technique to mitigate cookie-stealing XSS attacks
From: Seth Arnold <sarnold () wirex com>
Date: Mon, 11 Nov 2002 12:29:41 -0800

On Sun, Nov 10, 2002 at 04:21:41AM +0100, Ulf Harnhammar wrote:
On Thu, 7 Nov 2002, Justin King wrote:

I would be very interested in major browsers supporting a <dead> tag with an
optional parameter to be a hash of the data between the opening and closing
dead tag. This tag would indicate that no "live" elements of HTML be
supported (e.g., JavaScript, VBScript, embed, object).

I'm not sure if that's the best solution. Lots of code out there do much
less filtering than it should, so there will probably be a way to include
a </dead> tag and then use all the usual XSS tricks.

Amending Justin's suggestion to _require_ a parameter would likely be

<dead uniq="7f7a2eb8d3adde08f37f22645cb2853e">
[insert nasty javascript, XSS, etc]
</dead uniq="7f7a2eb8d3adde08f37f22645cb2853e">

If the two tags don't match, the browser continues to enforce the 'dead'
sections of code. Any browser supporting such a dead tag could similarly
require the matching uniqueness tag -- since we are inventing such a tag,
browsers implementing it have a chance to get it correct. :)

(Of course, any content that supplies static tags is doomed -- the
uniquness tags need to be random enough to prevent guessing by a
dedicated attacker -- or at least sufficiently random to require
attackers to be dedicated.)


Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]