[27750] in bugtraq
Re: A technique to mitigate cookie-stealing XSS attacks
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Nov 8 00:24:26 2002
Message-Id: <200211060516.gA65GYGc015293@turing-police.cc.vt.edu>
To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
In-Reply-To: Your message of "Tue, 05 Nov 2002 22:38:32 +0100."
<87adknlmsn.fsf@Login.CERT.Uni-Stuttgart.DE>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-849385794P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Wed, 06 Nov 2002 00:16:33 -0500
--==_Exmh_-849385794P
Content-Type: text/plain; charset=us-ascii
On Tue, 05 Nov 2002 22:38:32 +0100, Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> said:
> What about HTTP headers which advise user agents to disable some
> features, e.g. read/write access to the document or parts of it via
> scripting or other Internet Explorer interfaces?
>
> Is anybody interested in writing an Informational RFC on this topic?
Pointless.
It's one thing for a web browser to refuse to do something because it suspects
that it has been asked something underhanded (for instance, to not give a
cookie value to a script if it were tagged 'httponly').
It's something else for a server to try to restrict user agents that way.
A well-behaved user agent won't need the hints, and a malicious one won't
listen to them....
(Note - I'm talking here about a server trying to say "Thou Shalt Not Do
XYZ" and expecting to be listened to - if anything, this is a big clue to
the attacker that they should look for a way to try to do XYZ anyhow. That
never works. On the other hand, there are *lots* of areas where *HINTS*
(like the HTTP 'Expires' header) are quite valuable...
Remember - we've seen enough Bugtraq postings about people who try to use
hidden fields in an HTML document for security, and get it wrong...
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
--==_Exmh_-849385794P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE9yKWxcC3lWbTT17ARAvDLAJ9puA6B6Hy6aY4GWG0L7bh1f82rlwCfXdH+
rEafNJEUj1zjyi6CYL/k0dw=
=ntTY
-----END PGP SIGNATURE-----
--==_Exmh_-849385794P--
