[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)

From: "Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
Date: Wed, 03 May 2006 19:10:16 +0200

On 3 May 2006 at 8:29, Brian Eaton wrote:

> 
> It looks like the attacks fall into three categories:
> 
> - attacks requiring XSS + TRACE.
> - attacks requiring XSS + request smuggling.
> - attacks requiring XSS + a test script that acts similarly to the
> TRACE method, returning request values to the browser.
> 
> Am I reading that properly?
> 

And then there are:

- attacks requiring XSS + virtual hosting on same machine with a malicious virtual site
- attacks requiring XSS + proxy server on the way


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

References:
- [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
  - From: Amit Klein (AKsecurity)
- Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
  - From: Brian Eaton

Prev by Date: Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
Next by Date: [WEB SECURITY] White Paper: Cross-Site Scripting Worms and Viruses
Previous by thread: Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
Next by thread: Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site