Re: A technique to mitigate cookie-stealing XSS attacks

From: Steven M. Christey (coley@linus.mitre.org)
Date: 11/08/02

• Previous message: jelmer: "Re: How to execute programs with parameters in IE - Sandblad advisory #10"
• Maybe in reply to: Michael Howard: "A technique to mitigate cookie-stealing XSS attacks"
• Next in thread: Michael Howard: "RE: A technique to mitigate cookie-stealing XSS attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 8 Nov 2002 03:18:48 -0500 (EST)
From: "Steven M. Christey" <coley@linus.mitre.org>
To: bugtraq@securityfocus.com

For a small data point regarding the need to (somehow) address XSS
vulnerabilities: according to CVE statistics, XSS issues are the
second most frequently reported vulnerability type this year [1],
behind buffer overflows (though new "flavors" of overflows help to
maintain that #1 position.) Note: this statistic includes both "HTML
injection" into web pages as well as "classic" XSS by tampering with
links (some researchers use the "XSS" term in a link context only),
but it only includes XSS in distributed software, not custom
applications for single-site web services.

While it may take web browsers some time to implement safeguarding
measures such as 'httponly' tags, it no longer seems like heresy to
suggest that entire classes of vulnerabilities could be mitigated by
protecting programmers against themselves wherever possible, and by
default. Unless/until such safeguards are consistently available at
the OS, hardware, and programming language level, "advisory"
capabilities such as 'httponly' tags could be another useful component
of a defense-in-depth strategy.

- Steve

[1] as reported at the Open Source Security Summit, October 29, 2002

---

• Previous message: jelmer: "Re: How to execute programs with parameters in IE - Sandblad advisory #10"
• Maybe in reply to: Michael Howard: "A technique to mitigate cookie-stealing XSS attacks"
• Next in thread: Michael Howard: "RE: A technique to mitigate cookie-stealing XSS attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: [Full-disclosure] RE:DONT SEND ME AGAIN PLS ... XSS vulnerabilities in Google.com ... XSS vulnerabilities in Google.com (GroundZero Security) ... It lists the folks that they might ... (Full-Disclosure) Re: [Full-disclosure] XSS vulnerabilities in Google.com ... XSS will always remain part of the Full-Disclosure list if little ... > are we starting to post vulnerabilities in specific websites now rather than ... when using UTF-7 encoded payloads. ... > The server response lacks charset encoding enforcement, ... (Full-Disclosure) Re: [Full-disclosure] XSS Vulnerabilities at Sun, IBM, Verisign, AOL, ... Instead of emailing every single site you find an XSS in, can you just send a weekly summary instead so as not to fill ... Why world's leading security companies don't take care of their = ... I`ve published some of XSS vulnerabilities in my blog and forwarded them = ... have vulnerabilities in their web sites. ... (Full-Disclosure) Re: [Full-disclosure] Ho Ho H0-Day - ZyXEL P-330W multiple XSS and XSRF vulnerabilit ... because the router uses GoAhead 2.1.1 for its embedded web ... it is susceptible to all those vulnerabilities including ... There are a plethora of XSS vulns in the web-based management ... (Full-Disclosure) Re: Cross Site Scripting Vulnerabilities - XSS ... > I am kinda new to XSS, but am intrigued by how it works. ... >> these vulnerabilities that they are happy to ... >> This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > bugtraq  > 2002-11