[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Article about HttpOnly
- From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] Article about HttpOnly
- Date: Tue, 8 Aug 2006 17:40:36 -0400
On 8/8/06, RSnake <rsnake@xxxxxxxxxxxx> wrote:
Additionally, the first thing published on breaking
HttpOnly to my knowledge was Thor's paper on how to use XMLHttpRequest
which will return the headers (outside of JavaScript space). So unless
you are 100% safe from XSS that's a second hole.
Got a copy of that paper handy? I'd like to read it. I'm familiar
with the techniques mentioned in this webappsec thread:
http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html,
but the paper you mention sounds like it might be something different.
As far as I can tell, the easiest way to attack a web site that is
using HttpOnly is via CSRF. And if the site has an XSS hole, all of
the CSRF protection techniques that I know about can be broken using
the XSS. If somebody knows of CSRF protection techniques that can
survive an XSS hole in the application, I'd love to hear about them.
Despite all of these possible attacks, I still like HttpOnly. Forcing
the attacker to figure out how to combine the CSRF and XSS isn't a bad
thing.
Regards,
Brian
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org