Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Sverre H. Huseby (shh_at_thathost.com)
Date: Thu Jan 23 2003 - 06:14:25 CST
I'm sorry for all the heat you have taken for your white paper.
Personally, I read two important points in it: One down-to-Earth
advice for the web site administrator, and one rather abstract
observation for the web programmer.
For the admin
Disable TRACE requests either in the firewall or in the web server, as
the users' credentials _may_ be stolen. Some people may probably have
fun logging such requests as well.
If I understand the article correctly, credentials between a user and
a web site may be stolen if at least _one_ of the following is true,
as long as TRACE requests are honored:
* The site is open to Cross-site Scripting
* The user has a buggy browser
I often like to say that bugs in the browsers are the users' own
fault, but those running web sites with money involved tend to do more
than me to help their users, out of fear of being held economically
For the programmer
The article shows quite clearly that one should not try to solve a
class of security problems by _adding_ artificial "solutions" rather
than _removing_ the real problem. The problem we are talking about is
Cross-site Scripting (XSS). The artificial solution added on top of
it is httpOnly cookies. Lazy (and ignorant) programmers may think
that if they use httpOnly, they need not pay attention to XSS. Your
article shows that the lazy ones are wrong. Creative people tend to
find ways around the add-ons.
It reminds me a bit of a discussion about session hijacking a few
months back. Some people argued that checking IP addresses is a
solution to the problem. It is not. The root problem in session
hijacking is that someone somehow gets access to another person's
session ID. Checking IP addresses is just one of those add-ons.
Don't get me wrong: The add-ons give us defense in depth, but only if
we try to solve the real problem as well.
-- shhthathost.com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/