Mitigation of cookie stealing XSS attacks
Microsoft's Michael Howard discusses the points of scrubbing secret data from memory, as well as expounding on mitigating cross-site scripting issues using the HttpOnly cookie extension.
As he noted on few security mailing lists: "During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet Explorer team devised a method to reduce the risk of cookie-stealing attacks via XSS vulnerabilities. In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a trailing HttpOnly (case insensitive) it will return an empty string to the browser when accessed from script, such as by using document.cookie."
[ Read more ]
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.