OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Sverre H. Huseby (shh_at_thathost.com)
Date: Thu Jan 23 2003 - 06:14:25 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Jeremiah,

    I'm sorry for all the heat you have taken for your white paper.
    Personally, I read two important points in it: One down-to-Earth
    advice for the web site administrator, and one rather abstract
    observation for the web programmer.

    For the admin
    -------------
    Disable TRACE requests either in the firewall or in the web server, as
    the users' credentials _may_ be stolen. Some people may probably have
    fun logging such requests as well.

    If I understand the article correctly, credentials between a user and
    a web site may be stolen if at least _one_ of the following is true,
    as long as TRACE requests are honored:

      * The site is open to Cross-site Scripting
      * The user has a buggy browser

    I often like to say that bugs in the browsers are the users' own
    fault, but those running web sites with money involved tend to do more
    than me to help their users, out of fear of being held economically
    responsible.

    For the programmer
    ------------------
    The article shows quite clearly that one should not try to solve a
    class of security problems by _adding_ artificial "solutions" rather
    than _removing_ the real problem. The problem we are talking about is
    Cross-site Scripting (XSS). The artificial solution added on top of
    it is httpOnly cookies. Lazy (and ignorant) programmers may think
    that if they use httpOnly, they need not pay attention to XSS. Your
    article shows that the lazy ones are wrong. Creative people tend to
    find ways around the add-ons.

    It reminds me a bit of a discussion about session hijacking a few
    months back. Some people argued that checking IP addresses is a
    solution to the problem. It is not. The root problem in session
    hijacking is that someone somehow gets access to another person's
    session ID. Checking IP addresses is just one of those add-ons.

    Don't get me wrong: The add-ons give us defense in depth, but only if
    we try to solve the real problem as well.

    Sverre. 

    -- 
shhthathost.com		Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/	http://nerdquiz.thathost.com/