[27834] in bugtraq
RE: A technique to mitigate cookie-stealing XSS attacks
daemon@ATHENA.MIT.EDU (jasonk)
Tue Nov 12 16:42:11 2002
From: "jasonk" <jasonk@swin.edu.au>
To: <bugtraq@securityfocus.com>
Date: Tue, 12 Nov 2002 21:43:34 +1100
Message-ID: <000201c28a38$59daac20$0301010a@wade>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
In-Reply-To: <Pine.LNX.4.21.0211100416120.21326-100000@Tempo.Update.UU.SE>
> -----Original Message-----
> From: Ulf Harnhammar [mailto:ulfh@update.uu.se]
> Sent: Sunday, 10 November 2002 2:22 PM
> To: Justin King
> Subject: Re: A technique to mitigate cookie-stealing XSS attacks
>
> On Thu, 7 Nov 2002, Justin King wrote:
>
> > I would be very interested in major browsers supporting a <dead> tag
> with an
> > optional parameter to be a hash of the data between the opening and
> closing
> > dead tag. This tag would indicate that no "live" elements of HTML be
> > supported (e.g., JavaScript, VBScript, embed, object).
>
> I'm not sure if that's the best solution. Lots of code out there do
much
> less filtering than it should, so there will probably be a way to
include
> a </dead> tag and then use all the usual XSS tricks.
I'm not sure it's the best solution either: how many of you have used
code such as <a href='javascript:...'> and so on ?
It's not going to be as easy as it looks - of course if you don't use
javascript AT ALL then sure, but many sites use javascript rollovers and
so on. We need a more effective response than this. Since javascript
(and other client side scripting technologies) are becoming more popular
and functional, it seems like imho the 'best' alternative is the
cookie-blocking approach. This would stop the *effect* of XSS, much the
same as blocking user privileges doesn't stop them running malware but
prevents them from having an effect.
jasonk
> // Ulf Harnhammar
> VSU Security
> ulfh@update.uu.se
