[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Article about HttpOnly

From: RSnake <rsnake@xxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Article about HttpOnly
Date: Tue, 8 Aug 2006 12:48:57 -0700 (PDT)


	I'd be very careful in implementing HttpOnly without using a
whitelist approach (there is a problem with this, but I'm getting ahead
of myself).  Some browsers (I believe IE5.0 on Mac and WebTV) don't just
fail to support it (in the way Firefox does, where it just ignores it)
but they actually break and the page will not render.  So if you run a
large enterprise, I'd stay away from HttpOnly without a whitelist of
which browsers support the technology, unless you don't want a subset of
users to never see your website.

	Now, the caveat to that is that Amit's Flash header spoofing
paper can now forge any user agent, making this whitelist a
vulnerability.  Additionally, the first thing published on breaking
HttpOnly to my knowledge was Thor's paper on how to use XMLHttpRequest
which will return the headers (outside of JavaScript space).  So unless
you are 100% safe from XSS that's a second hole.

	Otherwise, it's a pretty thorough paper.

-RSnake
http://ha.ckers.org/

On Tue, 8 Aug 2006, Evert | Collab wrote:

I wrote an article about HttpOnly (including firefox support), the Januari livejournal XSS attack and more..

I tried to be as correct as possible and get the information I used from reliable resources, but I might have made mistakes.. If somebody has the will/time to to read and correct it i'd be really grateful..
The article can be found at http://www.rooftopsolutions.nl/article/97
Thanks in advanced,
Evert
--
http://www.rooftopsolutions.nl/
----------------------------------------------------------------------------
The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] Article about HttpOnly
  - From: Brian Eaton

References:
- [WEB SECURITY] Article about HttpOnly
  - From: Evert | Collab

Prev by Date: [WEB SECURITY] Article about HttpOnly
Next by Date: Re: [WEB SECURITY] Article about HttpOnly
Previous by thread: [WEB SECURITY] Article about HttpOnly
Next by thread: Re: [WEB SECURITY] Article about HttpOnly
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site