Two things:
While I agree that XSS is far more serious than has been discussed in this
thread, addressing cookie stealing is still a legitimate pursuit.
Second (and considerably more verbose), you said
>As another example, the "FRAME SECURITY=RESTRICTED" feature described
>by Michael Howard could
On Wed, 13 Nov 2002, Steven M. Christey wrote:
> Being able to place arbitrary HTML into an intermediate web page is
> dangerous for other reasons (this is sometimes called "HTML
> injection," but I view it as another flavor of XSS). For example,
> this would allow attackers to use META-REFRESH s
On Sun, Nov 10, 2002 at 04:21:41AM +0100, Ulf Harnhammar wrote:
> On Thu, 7 Nov 2002, Justin King wrote:
>
> > I would be very interested in major browsers supporting a tag with an
> > optional parameter to be a hash of the data between the opening and closing
> > dead tag. This tag would indicat
While this thread has been focused on scripting languages and cookie
theft, that's not the only issue to be concerned about with XSS.
Being able to place arbitrary HTML into an intermediate web page is
dangerous for other reasons (this is sometimes called "HTML
injection," but I view it as anothe
riginal Message-
From: Jeremiah Grossman [mailto:jeremiah@;whitehatsec.com]
Sent: Monday, November 11, 2002 8:20 AM
To: Michael Howard
Subject: Re: A technique to mitigate cookie-stealing XSS attacks
First, I'd like to thank the "Microsoft Internet Explorer Team" for
instituting some
> -Original Message-
> From: Ulf Harnhammar [mailto:ulfh@;update.uu.se]
> Sent: Sunday, 10 November 2002 2:22 PM
> To: Justin King
> Subject: Re: A technique to mitigate cookie-stealing XSS attacks
>
> On Thu, 7 Nov 2002, Justin King wrote:
>
> > I wou
On Thu, 7 Nov 2002, Justin King wrote:
> I would be very interested in major browsers supporting a tag with an
> optional parameter to be a hash of the data between the opening and closing
> dead tag. This tag would indicate that no "live" elements of HTML be
> supported (e.g., JavaScript, VBScri
ent: Monday, November 11, 2002 10:20 AM
To: Michael Howard
Cc: [EMAIL PROTECTED]
Subject: Re: A technique to mitigate cookie-stealing XSS attacks
First, I'd like to thank the "Microsoft Internet Explorer Team" for
instituting some level of security to thwart the plague that is X
I would be very interested in major browsers supporting a tag with an
optional parameter to be a hash of the data between the opening and closing
dead tag. This tag would indicate that no "live" elements of HTML be
supported (e.g., JavaScript, VBScript, embed, object).
I know this has been sugge
/books/5612.asp
-Original Message-
From: Justin King [mailto:justin@;othius.com]
Sent: Thursday, November 07, 2002 12:27 PM
To: [EMAIL PROTECTED]
Cc: Michael Howard
Subject: Re: A technique to mitigate cookie-stealing XSS attacks
I would be very interested in major browsers supporting a
Florian Weimer wrote:
>What about HTTP headers which advise user agents to disable some
>features, e.g. read/write access to the document or parts of it via
>scripting or other Internet Explorer interfaces?
HTTP headers are arguably the wrong place, but it might make sense to
have a tag that wou
On Thu, Nov 07, 2002 at 11:50:03PM -0500, Nick Simicich wrote:
> At 10:44 AM 2002-11-05 -0800, Michael Howard wrote:
>
> >During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet
> >Explorer team devised a method to reduce the risk of cookie-stealing
> >attacks via XSS vulnerabilit
For a small data point regarding the need to (somehow) address XSS
vulnerabilities: according to CVE statistics, XSS issues are the
second most frequently reported vulnerability type this year [1],
behind buffer overflows (though new "flavors" of overflows help to
maintain that #1 position.) Note
[EMAIL PROTECTED] writes:
> On Tue, 05 Nov 2002 22:38:32 +0100, Florian Weimer <[EMAIL PROTECTED]>
>said:
>
>> What about HTTP headers which advise user agents to disable some
>> features, e.g. read/write access to the document or parts of it via
>> scripting or other Internet Explorer interface
At 10:44 AM 2002-11-05 -0800, Michael Howard wrote:
During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet
Explorer team devised a method to reduce the risk of cookie-stealing
attacks via XSS vulnerabilities.
If I understand the XSS vulnerability correctly, it is all based on
This seems the wrong way round to me.
After all, how often do you access cookies from client side code?
Personally, I've never done it.
I would have IE disallow all access to cookies from scripts, unless
either, it's disabled in security options (Allow scripts to access
cookies) or the server passe
On Tue, 05 Nov 2002 22:38:32 +0100, Florian Weimer <[EMAIL PROTECTED]>
said:
> What about HTTP headers which advise user agents to disable some
> features, e.g. read/write access to the document or parts of it via
> scripting or other Internet Explorer interfaces?
>
> Is anybody interested in w
"Michael Howard" <[EMAIL PROTECTED]> writes:
> In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
> trailing HttpOnly (case insensitive) it will return an empty string to
> the browser when accessed from script, such as by using document.cookie.
What about HTTP headers which
18 matches
Mail list logo
