[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Article about HttpOnly

From: RSnake <rsnake@xxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Article about HttpOnly
Date: Tue, 8 Aug 2006 14:57:46 -0700 (PDT)


	Hmm, I am having trouble finding it on the pivx site, but
perhaps I am thinking it was a paper and it was really, in fact, just a
long long email.  Here is part of it:
http://archive.cert.uni-stuttgart.de/archive/bugtraq/2003/01/msg00238.html

	I agree, HttpOnly has a purpose, I just can't use it for
enterprise solutions because the users get a broken connection.  You
can't even warn them unless you don't set it on the first page.  Pretty
terrible user experience (speaking with my consumer advocate hat on) and
not much of an increase in security, as the only way to steal a cookie
with JavaScript is via XSS anyway, and if they have XSS they can use
XMLHttpRequest and then why bother?  Not to say I haven't used it in the
past, it's just got some issues.

-RSnake
http://ha.ckers.org/


On Tue, 8 Aug 2006, Brian Eaton wrote:

On 8/8/06, RSnake <rsnake@xxxxxxxxxxxx> wrote:

Additionally, the first thing published on breaking
HttpOnly to my knowledge was Thor's paper on how to use XMLHttpRequest
which will return the headers (outside of JavaScript space).  So unless
you are 100% safe from XSS that's a second hole.


Got a copy of that paper handy?  I'd like to read it.  I'm familiar
with the techniques mentioned in this webappsec thread:
http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html,
but the paper you mention sounds like it might be something different.

As far as I can tell, the easiest way to attack a web site that is
using HttpOnly is via CSRF.  And if the site has an XSS hole, all of
the CSRF protection techniques that I know about can be broken using
the XSS.  If somebody knows of CSRF protection techniques that can
survive an XSS hole in the application, I'd love to hear about them.

Despite all of these possible attacks, I still like HttpOnly.  Forcing
the attacker to figure out how to combine the CSRF and XSS isn't a bad
thing.

Regards,
Brian

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] Article about HttpOnly
  - From: Evert | Collab
- Re: [WEB SECURITY] Article about HttpOnly
  - From: RSnake
- Re: [WEB SECURITY] Article about HttpOnly
  - From: Brian Eaton

Prev by Date: Re: [WEB SECURITY] Article about HttpOnly
Next by Date: Re: [WEB SECURITY] Autocomplete attribute
Previous by thread: Re: [WEB SECURITY] Article about HttpOnly
Next by thread: RE: [WEB SECURITY] Article about HttpOnly
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site