Bugtraq: A technique to mitigate cookie-stealing XSS attacks

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

A technique to mitigate cookie-stealing XSS attacks

From: "Michael Howard" <mikehow () microsoft com>
Date: Tue, 5 Nov 2002 10:44:24 -0800

During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet
Explorer team devised a method to reduce the risk of cookie-stealing
attacks via XSS vulnerabilities. 
        
In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
trailing HttpOnly (case insensitive) it will return an empty string to
the browser when accessed from script, such as by using document.cookie.


Obviously, the server must add this option to all outgoing cookies.

Note, this does _not fix_ XSS bugs in server code; it only helps reduce
the potential damage from cookie disclosure threats. Nothing more. Think
of it as a very small insurance policy!

A full write-up outlining the HttpOnly flag, as well as source code to
set this option, is at
http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp.

Cheers, Michael Howard
Secure Windows Initiative
Microsoft Corp.

Writing Secure Code 
http://www.microsoft.com/mspress/books/5612.asp

By Date By Thread

Current thread:

A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 05)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 05)
  - Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
    - Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 08)
  - Re: A technique to mitigate cookie-stealing XSS attacks David Wagner (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Justin King (Nov 09)