Archive for May 2007
The Murky Science of Web Application Security
Jeremiah had a talk with Simson Garfinkel about Web Application Security recently. You can read Jeremiah’s post here and the full article here.
There is nothing new at all from a security perspective in this article, but it really lives up to it’s name as an introduction to Web App Sec. It points out a few things we already knew, such as the scary fact that up to 80 percent of all websites suffer from some sort of vulnerability. The ones that don’t are mostly static html sites and have no complex backend, ‘brochure-ware’ as the article calls it.
It also elaborates on some of the issues that must be faced, such as a need for secure coding. It’s pretty bad practice in most cases,(but not all) to just slap on a WAF and hope for the best. As this quote points out..
Yes, it would be nice to eliminate these well-known bugs with better coding practices. But we live in the real world. It’s better to look for the bugs and fix them than to simply cross your fingers and hope that they aren’t there.
So all in all, if you’re a frustrated web app sec guy, this is a great article to show the higher ups. Murky indeed. As RSnake would say, clear as mud?
Opera to support HttpOnly
Heya. I haven’t blogged in awhile but I do want to start getting back into it.
So, we’ll start with something small.
I read this article the other day about updates coming to Opera in 9.5 and was pleasantly suprised to read that it will support HttpOnly cookies. Now, if you don’t know what that is I’ll give a quick run-down. Normally, cookies are able to be accessed through scripts with things like document.cookie in JavaScript. Along with the normal cookie header, in Set-Cookie you can set it to HttpOnly. This means the cookie cannot normally be read from means other than sending it in an Http Request. This slightly mitigates using XSS to steal credentials as you can no longer read the cookie with JavaScript and send it out, but obviously doesn’t stop phishing via any means. Many sites do use HttpOnly cookies but currently, only Internet Explorer supports it. If you use a browser that doesn’t support it, it simply is downgraded to a normal cookie. To be fair, Firefox 3 is planned to have support for it as well but it seems 9.5 will be out before FF3. At any rate, while this won’t stop XSS, it basically eliminates the risk of cookie theft.
Just remember though, cookie theft isn’t the only credentials that can be stolen with XSS or other methods. ‘Dynamic’ phishing methods that don’t rely on a third-party site are still somewhat hard to detect and should be watched out for.
RETURN $ecure; 