SecurityFocus

A technique to mitigate cookie-stealing XSS attacks Nov 05 2002 06:44PM
Michael Howard (mikehow microsoft com) (3 replies)

Re: A technique to mitigate cookie-stealing XSS attacks Nov 11 2002 06:19PM
Jeremiah Grossman (jeremiah whitehatsec com) (1 replies)

RE: A technique to mitigate cookie-stealing XSS attacks Nov 12 2002 12:46AM
Jason Coombs (jasonc science org)

Re: A technique to mitigate cookie-stealing XSS attacks Nov 07 2002 08:26PM
Justin King (justin othius com) (1 replies)

Re: A technique to mitigate cookie-stealing XSS attacks Nov 10 2002 03:21AM
Ulf Harnhammar (ulfh update uu se) (2 replies)

On Thu, 7 Nov 2002, Justin King wrote:

> I would be very interested in major browsers supporting a <dead> tag with an
> optional parameter to be a hash of the data between the opening and closing
> dead tag. This tag would indicate that no "live" elements of HTML be
> supported (e.g., JavaScript, VBScript, embed, object).

I'm not sure if that's the best solution. Lots of code out there do much
less filtering than it should, so there will probably be a way to include
a </dead> tag and then use all the usual XSS tricks.

// Ulf Harnhammar
VSU Security
ulfh (at) update.uu (dot) se [email concealed]

[ reply ]

RE: A technique to mitigate cookie-stealing XSS attacks Nov 12 2002 10:43AM
jasonk (jasonk swin edu au)

Re: A technique to mitigate cookie-stealing XSS attacks Nov 11 2002 08:29PM
Seth Arnold (sarnold wirex com)

Re: A technique to mitigate cookie-stealing XSS attacks Nov 05 2002 09:38PM
Florian Weimer (Weimer CERT Uni-Stuttgart DE) (2 replies)

Re: A technique to mitigate cookie-stealing XSS attacks Nov 08 2002 04:23AM
daw mozart cs berkeley edu (David Wagner)

Re: A technique to mitigate cookie-stealing XSS attacks Nov 06 2002 05:16AM
Valdis Kletnieks vt edu (1 replies)

Re: A technique to mitigate cookie-stealing XSS attacks Nov 08 2002 10:12AM
Florian Weimer (Weimer CERT Uni-Stuttgart DE)