|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Custom session tokens and XSS
From: Ingo Struck (ingo
ingostruck.de)
Date: Thu Aug 14 2003 - 08:00:50 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi...
> I was interested in the possibilty of hijacking an existing,
> already logged-in, session via XSS vulnerabilities in the situation where a
> hidden form field is used to transmit the token.
Well, ok.
Regarding existing session stealing XSS attacks, there is really no difference
at all between a hidden form field and a cookie - both are equally accessible
from within javascript. So if the attacker can induce any xss payload on the
victim, it doesnt make much difference if you store the session token in a
cookie or in a hidden form field. They can both be read by a javascript and
then submitted using any common technique to a third location.
This also holds true for any SID stored in the URL.
Bottom line:
It is equally easy / difficult for an attacker who is able to induce xss
payload on the victim's browser to steal any existing SID be it stored
within cookie, hidden form field or URL.
(That means that you should encourage all your users to switch off all kind of
scripting and don't rely on it within your apps).
Kind regards
Ingo
- --
ingoingostruck.de
Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint
C700 9951 E759 1594 0807 5BBF 8508 AF92 19AA 3D24
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE/O4gGhQivkhmqPSQRAqQJAJ92JRCckSYBgMCdprBC0ldIK2ya8wCdGNwQ
QEEy9zOu2mQisJfrGnkQhvg=
=ZMEC
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]