A technique to mitigate cookie-stealing XSS attacks

From: Michael Howard (mikehowat_private)
Date: Tue Nov 05 2002 - 10:44:24 PST

Next message: Tacettin Karadeniz: "networking_utils.php"

Previous message: Dave Ahmad: "RE: [security bulletin] SSRT2265 HP TruCluster Server Interconnect Potential Security Vulnerability (fwd)"
Next in thread: Matthew Collins: "Re: A technique to mitigate cookie-stealing XSS attacks"
Reply: Matthew Collins: "Re: A technique to mitigate cookie-stealing XSS attacks"
Reply: Steven M. Christey: "Re: A technique to mitigate cookie-stealing XSS attacks"
Reply: Michael Howard: "RE: A technique to mitigate cookie-stealing XSS attacks"
Reply: NESTING, DAVID M (SBCSI): "RE: A technique to mitigate cookie-stealing XSS attacks"
Reply: Justin King: "Re: A technique to mitigate cookie-stealing XSS attacks"
Reply: Steven M. Christey: "RE: A technique to mitigate cookie-stealing XSS attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet
Explorer team devised a method to reduce the risk of cookie-stealing
attacks via XSS vulnerabilities. 
	
In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
trailing HttpOnly (case insensitive) it will return an empty string to
the browser when accessed from script, such as by using document.cookie.


Obviously, the server must add this option to all outgoing cookies.

Note, this does _not fix_ XSS bugs in server code; it only helps reduce
the potential damage from cookie disclosure threats. Nothing more. Think
of it as a very small insurance policy!

A full write-up outlining the HttpOnly flag, as well as source code to
set this option, is at
http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp.

Cheers, Michael Howard
Secure Windows Initiative
Microsoft Corp.

Writing Secure Code 
http://www.microsoft.com/mspress/books/5612.asp

Next message: Tacettin Karadeniz: "networking_utils.php"
Previous message: Dave Ahmad: "RE: [security bulletin] SSRT2265 HP TruCluster Server Interconnect Potential Security Vulnerability (fwd)"
Next in thread: Matthew Collins: "Re: A technique to mitigate cookie-stealing XSS attacks"
Reply: Matthew Collins: "Re: A technique to mitigate cookie-stealing XSS attacks"
Reply: Steven M. Christey: "Re: A technique to mitigate cookie-stealing XSS attacks"
Reply: Michael Howard: "RE: A technique to mitigate cookie-stealing XSS attacks"
Reply: NESTING, DAVID M (SBCSI): "RE: A technique to mitigate cookie-stealing XSS attacks"
Reply: Justin King: "Re: A technique to mitigate cookie-stealing XSS attacks"
Reply: Steven M. Christey: "RE: A technique to mitigate cookie-stealing XSS attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 05 2002 - 11:59:33 PST