Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Custom session tokens and XSS
From: Ingo Struck (ingoingostruck.de)
Date: Thu Aug 14 2003 - 08:00:50 CDT
-----BEGIN PGP SIGNED MESSAGE-----
> I was interested in the possibilty of hijacking an existing,
> already logged-in, session via XSS vulnerabilities in the situation where a
> hidden form field is used to transmit the token.
Regarding existing session stealing XSS attacks, there is really no difference
at all between a hidden form field and a cookie - both are equally accessible
victim, it doesnt make much difference if you store the session token in a
then submitted using any common technique to a third location.
This also holds true for any SID stored in the URL.
It is equally easy / difficult for an attacker who is able to induce xss
payload on the victim's browser to steal any existing SID be it stored
within cookie, hidden form field or URL.
(That means that you should encourage all your users to switch off all kind of
scripting and don't rely on it within your apps).
Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint
C700 9951 E759 1594 0807 5BBF 8508 AF92 19AA 3D24
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
-----END PGP SIGNATURE-----