Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Custom session tokens and XSS
From: Stephen de Vries (stephen.devriesdcode.net)
Date: Wed Aug 13 2003 - 08:31:49 CDT
On Wed, 13 Aug 2003, Thomas Chiverton wrote:
> On Wednesday 13 Aug 2003 11:23 am, Stephen de Vries wrote:
> > Any XSS in the page, will only have access to the attackers token - which
> > is useless from an attack point of view.
> But the attackers session will now be running in the victims browser, where it
> can steal his cookies, email or whatever.
No, he can steal his own cookie with his own session ID and his own email.
How can he steal anything from the victim, if the victim is running the
> Tom Chiverton (sorry 'bout sig.)
> Advanced ColdFusion Programmer
> Tel: +44(0)1749 834997
> email: tom.chivertonbluefinger.com
> BlueFinger Limited
> Underwood Business Park
> Wookey Hole Road, WELLS. BA5 1AF
> Tel: +44 (0)1749 834900
> Fax: +44 (0)1749 834901
> web: www.bluefinger.com
> Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple
> Quay, BRISTOL. BS1 6EG.
> *** This E-mail contains confidential information for the addressee
> only. If you are not the intended recipient, please notify us
> immediately. You should not use, disclose, distribute or copy this
> communication if received in error. No binding contract will result from
> this e-mail until such time as a written document is signed on behalf of
> the company. BlueFinger Limited cannot accept responsibility for the
> completeness or accuracy of this message as it has been transmitted over
> public networks.***