Re: Re: Question regarding CVE applicability of missing HttpOnly flag

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 27/06/14 07:09 PM, Vincent Danen wrote:
> On 06/27/2014, at 14:03 PM, cve-assign () mitre org wrote:
>
> > > I suppose maybe there is a CWE for not having a virus scanner,
> > > which makes sense as that could be considered an overall system
> > > weakness.
> >
> > Neither CVE nor CWE attempts to cover the general topic of
> > system integration, i.e., questions such as "given the
> > composition and role of this entire system, is it unreasonable to
> > omit a virus scanner?" In practice, both CVE and CWE often tend
> > to be about questions that may come up when considering somewhere
> > around one line of code or one file of code. (This is just an
> > observational statement, not an attempt to redefine why CVE and
> > CWE exist.) Typical audiences may include (among others)
> > developers who need to write a line of code safely or system 
> > administrators who need to patch a faulty line of code.
> >
> > This doesn't mean that there's any objection to someone taking
> > the position that lack of a virus scanner is the most serious
> > security concern that they see in an entire system. This is a
> > valid perspective but is outside of the problem spaces in which
> > CVE and CWE have been operating. Even if everyone were looking at
> > "whether or not a flaw is a flaw" decisions in precisely the same
> > way, a conclusion of "yes, this system would really benefit from
> > a virus scanner" leaves open the question of the best place to
> > capture that information.
>
> Then shouldn't be the same be true of the HttpOnly flag?  That line
> of thought is pretty much what I think in regards to that flag.
>
> I don't know if you missed my comment in an earlier message, so
> I'll note it below because I think this is the real point:
>
> "Kurt's argument about everything having an XSS makes it sound
> like, and the reasoning provided here as well, that we should no
> longer consider XSS a security flaw, but the absence of HttpOnly
> the security flaw.  I mean, if setting this flag "fixes" all XSS
> issues, then we should no longer be assigning CVEs to XSS issues,
> only to web servers/services that do not set HttpOnly or browsers
> that do not respect/handle it properly.  They can't _both_ get CVEs
> or be considered flaws, can they?"

Actually my point was more that back in the day cookie theft was
relatively rare, now it is pretty common thanks largely to XSS:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=xss

so in my opinion we should assume most web based apps have XSS vulns
(I think that's a safe assumption =), as such then the use of HTTPOnly
on cookies becomes a virtual necessity to protect cookies as opposed
to a "nice to have hardening feature". In other words the security bar
should be moved (at least that's my opinion).


- -- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTrl1rAAoJEBYNRVNeJnmT2GQP/RrJIhKthth3jqAx+BAY8qLj
Q3SMl9Mze1jldiGH3pEC/kLDhoVXlP6hG7Md5PUae7bEUgowA/cAHRzyO+g7pQSq
PX7RQwbDD8ynCyQ71os9pIGMWW54fU8nxCMQwVKDksKKRor4HO59k9xuDtoCdJKs
B/gVPf3l3gDmtBdytyqXTgLpWL6xdzh8qM/I/81FNF9Zx21b1odhkCVR5FaeUkJc
qeFc0ye2SId3xbCluJBFsccTCxDzLednp7RNGIm+g5gwR2siKOrYH7CPrSlPmj2S
vIUSsqGyal6upK7JLnzLzlnd6BixxydISYuvOBCCsYMpJftjcjpjhLssFkHGe9Z/
g8yHRWQiy7sI/BK8KhweRtiURV6Y2ac6+C+AtqM4idbJkLo/fNMjHGYz0Mdz4CWy
czpeZWqecpe5qPVkFVw7Z84gbGbq6s1wCBExGoWg1o5Ov4hXl1w8t/llb+gS3mzd
CnYXkXXYc9UEoSGpxjfEbqhOulyLz6ix6DN4qxe1v7ew671Eg3AWjT4lY3tNXYco
EOtO+KZI+MsThF+1OCTG/2AqxZ/kQS22F4MOloU76KJrl8Jg2/wjbMPRkpiM+HO5
lNhaieukYaCD14ELEW/HpxgcSbua8dnOP6vgJWKcpCcXg6G0QrzNpEfCBgD9gzKv
o4hwlcpJ+eWGdp6vr3gv
=qNmV
-----END PGP SIGNATURE-----