|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: XSS with encrypted cookie?
From: Rajesh Jose (rajesh.jose
paladion.net)
Date: Thu Dec 11 2003 - 03:54:21 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
I didn't get "encrypted session token cookie". Normally nobody will be
encrypting a session token. So far as the session token is strongly
random nothing can be achieved by encrypting it.
Or did you mean secure cookie?
Secure cookie is a cookie which can be fetched by the server only
through a SSL channel.
In all these cases "encrypted, not-encrypted and secured" it is possible
to fetch a cookie through XSS attack and replay the session.
Replaying of session token will not possible if the application is using
source IP for session validation.
Cheers,
Rajesh
-----Original Message-----
From: pire pire [mailto:pirepire69romandie.com]
Sent: Wednesday, December 10, 2003 1:14 PM
To: pen-testsecurityfocus.com
Subject: XSS with encrypted cookie?
Hi,
I'm wondering if it's possible via a XSS attack to steal an
encrypted cookie (actually it's a session token)? (with some
javascript like: document.cookie etc...)
If yes, is it also possible to replay this cookie? (of course the
session must still be valid on the server)
I know it works with regular cookie.
Thanks a lot for your help
_______________________________________________
La messagerie gratuite des romands : 10 MO !!!
Profitez-en ! >>> http://www.romandie.com
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]