Thursday, May 22, 2008

HttpOnly Crusade Update

I would like to report 2 exciting victories regarding the ongoing HttpOnly crusade!

1) The underlying network library used for Safari - the Qt C++ library - particularly the QNetworkCookie class - has finished adding HttpOnly support! See http://trolltech.com/developer/task-tracker/index_html?id=206125&method=entry for more information on the specific bug. My undercover Safari developer resource tells me that Safari is soon to follow with full HttpOnly support in both the Windows and OSX versions!

2) The latest version of the Servlet 3.0 specification (JSR 315) has added HttpOnly support to both the Cookie and SessionCookieConfig classes. You can download the JavaDoc here. Thank you to Rajiv Mordani @ Sun!

HttpOnly is not a cure-all. It's simply one defense-In-depth measure to assist in preventing XSS session hijacking attacks. HttpOnly can also be circumvented via triggering an AJAX request via the XMLHttpRequest object and reading cookie data out of the headers. Fellow HTTPOnly crusader, Eric Bing from Oracle, is also leading the charge communicating with the w3c regarding future specifications to prevent the XMLHTTPRequest JavaScript object from accessing HttpOnly cookies! Exciting!

In other HttpOnly news:

WebLogic is testing a HttpOnly flag and is currently reviewing the patch "for feasibility".

There is a FireFox bug already addressing the circumvention of HttpOnly via XMLHttpRequest headers as described above. Please consider adding you vote to help encourage the team to lock down this HttpOnly circumvention vector: https://bugzilla.mozilla.org/votes.cgi?action=show_user&bug_id=380418#vote_380418

And the Crusade Continues......

ShakaCon 2008 Hawaii

You now have a business-critical reason to encourage your boss to send you to Hawaii. ShakaCon 2008 (June 9th-13th) is Hawaii's only information security, IT audit, compliance and ethical hacking conference!

For the second year running, one of the most beautiful places on Earth will serve as the backdrop for this truly unique security conference experience.

ShakaCon will include a wide variety of security speakers, including an update on the
OWASP ESAPI (Enterprise Security API) project on June 11th. ShakaCon will also host a 2-day Web Application Security Training course by the Aspect Security Hawaii office on June 12th and 13th.
For more information, please see http://www.shakacon.org/ or download the registration form here.