For a small data point regarding the need to (somehow) address XSS vulnerabilities: according to CVE statistics, XSS issues are the second most frequently reported vulnerability type this year [1], behind buffer overflows (though new "flavors" of overflows help to maintain that #1 position.) Note: this statistic includes both "HTML injection" into web pages as well as "classic" XSS by tampering with links (some researchers use the "XSS" term in a link context only), but it only includes XSS in distributed software, not custom applications for single-site web services. While it may take web browsers some time to implement safeguarding measures such as 'httponly' tags, it no longer seems like heresy to suggest that entire classes of vulnerabilities could be mitigated by protecting programmers against themselves wherever possible, and by default. Unless/until such safeguards are consistently available at the OS, hardware, and programming language level, "advisory" capabilities such as 'httponly' tags could be another useful component of a defense-in-depth strategy. - Steve [1] as reported at the Open Source Security Summit, October 29, 2002
This archive was generated by hypermail 2b30 : Fri Nov 08 2002 - 11:49:41 PST