Cross-Site Tracing (XST)

October 23 2002, Microsoft issued a press release describing a new browser/server based protective security measure within of internet explorer 6 sp1. This new feature, dubbed “httponly”, helps guard http cookies against xss (cross-site scripting) attack. WhiteHat Security, heavily focused on web application security research and technology, began to investigate the feature in order to determine what it meant to web security. First of all, anything that attempts to help prevent the xss plague on the web is a good thing. Most of us in the web application security field already know the great pains required to prevent the ever-present existence of xss issues.

After much security review, I posted to bugtraq stating that the new httpOnly security feature, which is nicely effective for the intended purpose, is limited in xss protection scope. Limited in that the security feature only prohibits the exposure of cookie data through the “document.cookie” object. However, Microsoft has taken an excellent first step in the right direction to prevent xss as a whole.

A week later into testing of httpOnly, WhiteHat staff discovered a new web security attack technique that is able not only to bypass the httpOnly mechanism present in i.e. 6 service pack 1, but in addition the ability to xss “just about” anything from “just about” anywhere. This technique allows client-side scripting languages, such as javascript, and possibly other client-side technologies like vbscript, flash, java, etc., the ability access http web authentication credentials, with the added bonus of achieving this result over ssl. This ability has never before been previously possible. These new exposures will be explained with detail in the proceeding sections to illustrate the concepts.

Download the paper in PDF format here.