Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Jill Tovey (jill.tovey_at_bigbluedoor.com)
Date: Thu Dec 05 2002 - 05:10:36 CST
('binary' encoding is not supported, stored as-is)
You can get the cookie to send to a page with an xss exploit in it and use
that the value is passed and recorded to a file.
Thus getting their 'autologinid' value.
Does that help ?
>Received: (qmail 6306 invoked from network); 2 Dec 2002 15:25:58 -0000
>Received: from outgoing2.securityfocus.com (HELO
> by mail.securityfocus.com with SMTP; 2 Dec 2002 15:25:58 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
> by outgoing.securityfocus.com (Postfix) with QMQP
> id 135B58F29C; Mon, 2 Dec 2002 07:27:36 -0700 (MST)
>Mailing-List: contact webappsec-helpsecurityfocus.com; run by ezmlm
>Delivered-To: mailing list webappsecsecurityfocus.com
>Delivered-To: moderator for webappsecsecurityfocus.com
>Received: (qmail 28726 invoked from network); 2 Dec 2002 14:53:06 -0000
>From: "frank fish" <frankfish1962hotmail.com>
>Subject: Can I obtain BASIC AUTH credentials using an XSS vulnerbility
>Date: Mon, 02 Dec 2002 15:14:20 +0000
>Content-Type: text/plain; format=flowed
>X-OriginalArrivalTime: 02 Dec 2002 15:14:20.0436 (UTC) FILETIME=
>I have an application that uses IIS with basic authentication. The
>application has a XSS vulnerability that when exploited will allow me to
>collect the ASP Session Cookie from a logged on user.
>However, this cookie is not enough for me to use to access the
>I need to get instead the BASE64 encoded authentication string. Is there
>way to get this string via the XSS vulnerability ?
>Thanks for any advice, Frank
>Tired of spam? Get advanced junk mail protection with MSN 8.