[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)

From: "Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
Date: Thu, 04 May 2006 21:23:45 +0200

On 3 May 2006 at 12:47, Amit Klein (AKsecurity) wrote:

> 
> Bottom line: there are many known attacks against HttpOnly (and
> against Basic auth), that is, many known ways to elevate "standard" XSS condition to
> be able to grab session info/credentials stored in HttpOnly cookies/HTTP Basic auth.
> 

BTW, while we're at it, HTTP *digest* authentication is *much* less vulnerable to exposure 
via HTTP headers, due to its dynamic nature.

-Amit

- Sponsored Advertisement --------------------------------------------------
The Software Security Summit is the only event that addresses security
issues at the application development level. Join us Jun 5-7, Baltimore, MD.
http://www.s-3con.com
----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

References:
- [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
  - From: Amit Klein (AKsecurity)

Prev by Date: Re: [WEB SECURITY] security etiquette?
Next by Date: Re: [WEB SECURITY] security etiquette?
Previous by thread: Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
Next by thread: [WEB SECURITY] Re: Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site