Friday, November 18, 2005

Cross-Site Scripting and Tracing

Reading about WinINet I came across a "HttpOnly" attribute for cookies that Microsoft added to IE6 in SP1 (Note there is no hyphen in the attribute name).
That led me to some other good articles about cross-site scripting.
Mitigating Cross-site Scripting With HTTP-only Cookies
Scott Hanselman blogged about it over the summer, but I missed it then.

And to an article that uses the TRACE function as a technique to circumvent this attribute.
I don't know whether it is common to turn off the TRACE functionality on IIS servers.

Jeff Prosise wrote and lectured on website hacking during 2004. He came to Bloomington(IL) as part of an INETA-sponsored tour a year ago. I guess I wasn't blogging then, so I didn't post about his presentation, but other user groups and bloggers (Robert Hurlbut) have posted summaries and his sample code. Jeff wrote Stop Cross-site Scripting Attacks in their Tracks in ASP.NET Pro Mag in 2003 (subscription only) and on Foiling Session Hijacking Attempts in his Wicked Code column in MSDN Mag for August 2004 and

Other topics:
Where is that artcle about script reading the clipboard?
Retrieving Data using Script


Post a Comment

<< Home