[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Article about HttpOnly
- From: "Chris Weber" <chris@xxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Article about HttpOnly
- Date: Fri, 11 Aug 2006 14:49:03 -0700
I wouldn't say CSRF protection techniques can be easily bypassed when an XSS
hole exists. From the way I see it CSRF is similar to a direct browse issue
where in order to get to page C.asp, you need to go through A.asp and B.asp
first. If an XSS exists on C.asp it doesn't matter, you can't exploit it
because the sessioning material is not there.
Most apps that I've seen either purposely or indirectly prevent CSRF or
direct browsing issues by implementing a strong method of tracking session
flow. In this way they're making the stateless HTTP protocol more stateful.
Kind of like a ping pong effect, where as you move through the app you get
different sessioning material to indicate you've taken the proper flow.
Wait a minute I feel slighly more insane than normal all of a sudden...
Probably the chaotic airport adventures this week.
BTW I liked the article...
-----Original Message-----
From: Brian Eaton [mailto:eaton.lists@xxxxxxxxx]
Sent: Tuesday, August 08, 2006 2:41 PM
To: RSnake
Cc: Evert | Collab; websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Article about HttpOnly
On 8/8/06, RSnake <rsnake@xxxxxxxxxxxx> wrote:
> Additionally, the first thing published on breaking HttpOnly to my
> knowledge was Thor's paper on how to use XMLHttpRequest which will
> return the headers (outside of JavaScript space). So unless you are
> 100% safe from XSS that's a second hole.
Got a copy of that paper handy? I'd like to read it. I'm familiar with the
techniques mentioned in this webappsec thread:
http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html,
but the paper you mention sounds like it might be something different.
As far as I can tell, the easiest way to attack a web site that is using
HttpOnly is via CSRF. And if the site has an XSS hole, all of the CSRF
protection techniques that I know about can be broken using the XSS. If
somebody knows of CSRF protection techniques that can survive an XSS hole in
the application, I'd love to hear about them.
Despite all of these possible attacks, I still like HttpOnly. Forcing the
attacker to figure out how to combine the CSRF and XSS isn't a bad thing.
Regards,
Brian
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org
Search this site
|