Bugtraq: Re: A technique to mitigate cookie-stealing XSS attacks

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: A technique to mitigate cookie-stealing XSS attacks

From: Florian Weimer <Weimer () CERT Uni-Stuttgart DE>
Date: Tue, 05 Nov 2002 22:38:32 +0100

"Michael Howard" <mikehow () microsoft com> writes:

In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
trailing HttpOnly (case insensitive) it will return an empty string to
the browser when accessed from script, such as by using document.cookie.


What about HTTP headers which advise user agents to disable some
features, e.g. read/write access to the document or parts of it via
scripting or other Internet Explorer interfaces?

Is anybody interested in writing an Informational RFC on this topic?

-- 
Florian Weimer                    Weimer () CERT Uni-Stuttgart DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

By Date By Thread

Current thread:

A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 05)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 05)
  - Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
    - Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 08)
  - Re: A technique to mitigate cookie-stealing XSS attacks David Wagner (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Justin King (Nov 09)
  - Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)