Mitigation of cookie stealing XSS attacks

Wednesday, 6 November 2002, 11:51 AM EST

Microsoft's Michael Howard discusses the points of scrubbing secret data from memory, as well as expounding on mitigating cross-site scripting issues using the HttpOnly cookie extension.

As he noted on few security mailing lists: "During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet Explorer team devised a method to reduce the risk of cookie-stealing attacks via XSS vulnerabilities. In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a trailing HttpOnly (case insensitive) it will return an empty string to the browser when accessed from script, such as by using document.cookie."

[ Read more ]

Related items




Spotlight

Keeping passwords safe from cracking

A group of researchers from Purdue University in Indiana have come up with an effective and easy-to-implement solution for protecting passwords from attackers.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Sun, May 24th
    COPYRIGHT 1998-2015 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //