Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 26 Jun 2014 00:31:54 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, vdanen@...hat.com
CC: cve-assign@...re.org
Subject: Re: Re: Question regarding CVE applicability of missing
 HttpOnly flag

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My thought on this: security lines move, e.g. with crypto certain
algorithms are no longer sufficient (e.g. DES), they are essentially
the same as no crypto when put up against modern hardware.

So with web cookies they are often used as authentication tokens (the
alternative is in URL which has it's own list of problems, or form
values/etc.), I would hazard to say the vast majority of all web based
authentication uses cookies (I've never run into widely used
certificate based or other options). Also web sites have changed, no
longer static sites or "simple" CGI based sites, you pretty much
always use a framework, sometimes hosting your framework within a
lower level framework. Or you write custom code, whatever. The point
is this stuff has XSS flaws all over the place, it's more the rule
then the exception.

So with widespread XSS in mind, I think it's safe to say that
virtually every web site (even sites that care deeply and spend
time/money and have bug bounties) have lurking XSS flaws, which if
HTTPOnly is not used can result in cookie theft. So in my mind
HTTPOnly isn't an option any more, but a requirement, ergo in most
situations no HTTPOnly = win a CVE.

Evidence:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=XSS

- -- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTq75aAAoJEBYNRVNeJnmT+iIQAJAQiftwQuLzzATCDczuHnZM
MRCoImsrdNjBFTNQ584biZn5AGmiFS5QcGHPYs7uCiCKYNOEJwekafl/kqtigcll
wbfBt/vx2hx/bo9B/zyDS6/1F0Vn6lUxzDJpOcikpN72VI0VJCdwA454jK+KVEG2
1ZBBGgMCH92qszG2piem4yQO2BRilEWY5Vi/Qg49vrXFr9KneFCN5FulvRG9469t
g5qK0/uhgJvypEF51RiuCpUgnbdYH2vsJxI825tzK33iRpoIkVo9mbtpD3z+7LzY
FJSF9XHC1LIQ3210hQoJgG5hEUJdXC8VZizcw1dr+CGSoahzpsjvA8SlQKtlWBH5
iasgS6jbBD/0CJtO63NZ/CFdJibC/5BliFN70x+j6Y0qWCwdf3Z7MyM9uDR0/4mz
81EMNo4r+1SF3xJX0jvKEIbFCLBA8GhTgDFmi/KaK+7Na+hL7kjyQN1FFT85+EKN
DhjnGWu/8ns3lAz3Hw3tAI5K1O5IdjOvWIqhlevi5ml0iczcFg+tSG6xo6yxiSC5
gOboOYjEQ+S+GnRh4UWLRB+N63Mt9RZFw1Ooza92BrzzasRXN7OQJ8DK0chTeBGi
6y1aatKCVYtkED5BX3hBpk79h1GJLGk595n+KBkg/dn/Il/YQpbkBpfSextFRehy
83cS60qovyFZXn26qXie
=65A0
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.