[27862] in bugtraq
Re: A technique to mitigate cookie-stealing XSS attacks
daemon@ATHENA.MIT.EDU (Seth Arnold)
Thu Nov 14 21:03:54 2002
Date: Mon, 11 Nov 2002 12:29:41 -0800
From: Seth Arnold <sarnold@wirex.com>
To: bugtraq@securityfocus.com
Message-ID: <20021111202941.GA10402@wirex.com>
Mail-Followup-To: bugtraq@securityfocus.com,
Justin King <justin@othius.com>, Ulf Harnhammar <ulfh@update.uu.se>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+"
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.21.0211100416120.21326-100000@Tempo.Update.UU.SE>
--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Nov 10, 2002 at 04:21:41AM +0100, Ulf Harnhammar wrote:
> On Thu, 7 Nov 2002, Justin King wrote:
>=20
> > I would be very interested in major browsers supporting a <dead> tag wi=
th an
> > optional parameter to be a hash of the data between the opening and clo=
sing
> > dead tag. This tag would indicate that no "live" elements of HTML be
> > supported (e.g., JavaScript, VBScript, embed, object).
>=20
> I'm not sure if that's the best solution. Lots of code out there do much
> less filtering than it should, so there will probably be a way to include
> a </dead> tag and then use all the usual XSS tricks.
Amending Justin's suggestion to _require_ a parameter would likely be
sufficient:
<dead uniq=3D"7f7a2eb8d3adde08f37f22645cb2853e">
[insert nasty javascript, XSS, etc]
</dead uniq=3D"7f7a2eb8d3adde08f37f22645cb2853e">
If the two tags don't match, the browser continues to enforce the 'dead'
sections of code. Any browser supporting such a dead tag could similarly
require the matching uniqueness tag -- since we are inventing such a tag,
browsers implementing it have a chance to get it correct. :)
(Of course, any content that supplies static tags is doomed -- the
uniquness tags need to be random enough to prevent guessing by a
dedicated attacker -- or at least sufficiently random to require
attackers to be dedicated.)
--=20
http://immunix.org/
--mYCpIKhGyMATD0i+
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj3QEzQACgkQ+9nuM9mwoJlLigCeLaJjl9sMU6BYCRFLJ4esOqPD
/uoAn27UEWa/BYbet19Qx1JVn1errXpv
=2ZvX
-----END PGP SIGNATURE-----
--mYCpIKhGyMATD0i+--
