A technique to mitigate cookie-stealing XSS attacks
From: Michael Howard [MS] (mikehow@microsoft.com)
Date: 10/29/02
- Next message: Michel Gallant (MVP): "Firewall faqs( was Re: BEFSR41 config(was Re: Messenger Service on W2K server"
- Previous message: Michael Howard [MS]: "When scrubbing secrets in memory doesn't work"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Michael Howard [MS]" <mikehow@microsoft.com> Date: Tue, 29 Oct 2002 08:16:49 -0800
During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet
Explorer team devised a method to reduce the risk of cookie-stealing attacks
via XSS vulnerabilities.
In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
trailing HttpOnly (case insensitive) it will return an empty string to the
browser when accessed from script, such as by using document.cookie.
Obviously, the server must add this option to all outgoing cookies.
Note, this does _not fix_ XSS bugs in server code; it only helps reduce the
potential damage from cookie disclosure threats. Nothing more.
A full write-up outlining the HttpOnly flag, as well as source code to set
this option, is at
http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp.
Cheers, Michael Howard
-- This posting is provided "AS IS" with no warranties, and confers no rights. Writing Secure Code http://www.microsoft.com/mspress/books/5612.asp
- Next message: Michel Gallant (MVP): "Firewall faqs( was Re: BEFSR41 config(was Re: Messenger Service on W2K server"
- Previous message: Michael Howard [MS]: "When scrubbing secrets in memory doesn't work"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
