[owasp-intrinsic-security] IE HTTPOnly Patch

Jim Manico jim.manico at aspectsecurity.com
Fri Nov 14 15:37:40 EST 2008

IE's patch MS08-069
<http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx>  does
not COMPLETELY stop HTTPOnly cookie exposure. 


Robert Hansen was kind enough to add a set-cookie2 test to
http://ha.ckers.org/httponly.cgi today, which indeed IE exposes via
XMLHTTPRequest response headers. 


Robert has already brought this to MS's attention.


Look's like FireFox 3.1 or 3.2 will be the first browser to really
implement HTTPOnly completely. 







Jim Manico, Senior Application Security Engineer

jim.manico at aspectsecurity.com <mailto:jim.manico at aspectsecurity.com> 

(301) 604-4882 (work) 

(808) 652-3805 (cell) 


Aspect Security(tm)

Securing your applications at the source

http://www.aspectsecurity.com <http://www.aspectsecurity.com> 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20081114/91823024/attachment.html 

More information about the owasp-intrinsic-security mailing list