[Full-Disclosure] Re: A technique to mitigate cookie-stealing XSS attacks

From: Ulf Harnhammar (ulfh@update.uu.se)
Date: 11/10/02

From: ulfh@update.uu.se (Ulf Harnhammar)
Date: Sun, 10 Nov 2002 04:21:41 +0100 (CET)

On Thu, 7 Nov 2002, Justin King wrote:

> I would be very interested in major browsers supporting a <dead> tag with an
> optional parameter to be a hash of the data between the opening and closing
> dead tag. This tag would indicate that no "live" elements of HTML be
> supported (e.g., JavaScript, VBScript, embed, object).

I'm not sure if that's the best solution. Lots of code out there do much
less filtering than it should, so there will probably be a way to include
a </dead> tag and then use all the usual XSS tricks.

// Ulf Harnhammar
   VSU Security

Relevant Pages

  • Re: New URL spoofing bug in Microsoft Internet Explorer
    ... the single closing A tag should close the "current" A element - in this ... at this point - malformed html willing. ... from lower level nodes to parent nodes or whether mouseovers at the parent ...
  • Re: Table appears aligned left on home version of web
    ... There's no closing tag at the very bottom of the page. ... You have a closing tag on line 68 that is improperly placed. ... Microsoft MVP FrontPage ...
  • Re: Where do the extra pixels come from?
    ... background images and the width set at 100px. ... It's caused by the new line characters between closing LI tag and the next ... making sure there is no visible whitespace between the closing greater ...
  • Find the tag continued
    ... Takeoff from http-equiv's notes about closing> ... unprocessable HTML tags and tag parameters are ignored during ... An amazing amount of worthless obfuscating stuff can be ...
  • Re: Book/tutorial about SEO
    ... Closing them puts a carriage return which looks funny on the pages ... tag doesn't have to be closed in HTML but has to in XHTML. ...