Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 28 Jun 2014 00:15:08 -0600
From: Kurt Seifried <>
Subject: Re: Re: Question regarding CVE applicability of missing
 HttpOnly flag

Hash: SHA1

On 27/06/14 07:09 PM, Vincent Danen wrote:
> On 06/27/2014, at 14:03 PM, wrote:
>>> I suppose maybe there is a CWE for not having a virus scanner,
>>> which makes sense as that could be considered an overall system
>>> weakness.
>> Neither CVE nor CWE attempts to cover the general topic of
>> system integration, i.e., questions such as "given the
>> composition and role of this entire system, is it unreasonable to
>> omit a virus scanner?" In practice, both CVE and CWE often tend
>> to be about questions that may come up when considering somewhere
>> around one line of code or one file of code. (This is just an
>> observational statement, not an attempt to redefine why CVE and
>> CWE exist.) Typical audiences may include (among others)
>> developers who need to write a line of code safely or system 
>> administrators who need to patch a faulty line of code.
>> This doesn't mean that there's any objection to someone taking
>> the position that lack of a virus scanner is the most serious
>> security concern that they see in an entire system. This is a
>> valid perspective but is outside of the problem spaces in which
>> CVE and CWE have been operating. Even if everyone were looking at
>> "whether or not a flaw is a flaw" decisions in precisely the same
>> way, a conclusion of "yes, this system would really benefit from
>> a virus scanner" leaves open the question of the best place to
>> capture that information.
> Then shouldn't be the same be true of the HttpOnly flag?  That line
> of thought is pretty much what I think in regards to that flag.
> I don't know if you missed my comment in an earlier message, so
> I'll note it below because I think this is the real point:
> "Kurt's argument about everything having an XSS makes it sound
> like, and the reasoning provided here as well, that we should no
> longer consider XSS a security flaw, but the absence of HttpOnly
> the security flaw.  I mean, if setting this flag "fixes" all XSS
> issues, then we should no longer be assigning CVEs to XSS issues,
> only to web servers/services that do not set HttpOnly or browsers
> that do not respect/handle it properly.  They can't _both_ get CVEs
> or be considered flaws, can they?"

Actually my point was more that back in the day cookie theft was
relatively rare, now it is pretty common thanks largely to XSS:

so in my opinion we should assume most web based apps have XSS vulns
(I think that's a safe assumption =), as such then the use of HTTPOnly
on cookies becomes a virtual necessity to protect cookies as opposed
to a "nice to have hardening feature". In other words the security bar
should be moved (at least that's my opinion).

- -- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird -


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ