Penetration Testing mailing list archives
Re: XSS with encrypted cookie?
From: dd <dd () ghettohackers net>
Date: Wed, 10 Dec 2003 15:00:38 -0800
Yes, it is possible to steal cookies with XSS by using document.cookie regardless of what data is in the cookie (eg. the data is encrypted, or anything else).
Usually with session tokens, any encryption is performed at the application layer (single encryption key), and hence replaying of the token will still work (assuming the session hasn;t expired).
dd pire pire wrote:
Hi,I'm wondering if it's possible via a XSS attack to steal an encrypted cookie (actually it's a session token)? (with some javascript like: document.cookie etc...)If yes, is it also possible to replay this cookie? (of course the session must still be valid on the server)I know it works with regular cookie.Thanks a lot for your help
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- XSS with encrypted cookie? pire pire (Dec 10)
- Re: XSS with encrypted cookie? dd (Dec 11)
- RE: XSS with encrypted cookie? Rajesh Jose (Dec 11)
- RE: XSS with encrypted cookie? Achim Dreyer (Dec 11)