WebApp Sec mailing list archives
Re: XSS and URL Encoded Session IDs
From: Ryan Yagatich <ryany () pantek com>
Date: Tue, 17 Dec 2002 06:21:38 -0500 (EST)
BF, Here's my thought on this, and though it may not be the best solution, it is at least _a_ solution. Looking at this from the more objective POV, I see the 'problem' as being 'How do I get the SessionID'. Well, I'm not big on the ASP/IIS side of things, but I have noticed a trend in a few ways of getting that information. Q) How does the client get the SessionID? A) The client can either get the SessionID from a cookie that is placed on their system (i.e. ASPSESSION='...'), or the server embeds the SID in HREF links on the page. So, there are 2 places you could write code, either A) accept the cookie, extract the SessionID B) retrieve a URL and get the SessionID from the parsed string. Both which would take either 2-3 different steps. Thanks, Ryan Yagatich ,_____________________________________________________, \ Ryan Yagatich support () pantek com \ / Pantek Incorporated (877) LINUX-FIX / \ http://www.pantek.com (440) 519-1802 \ / / \___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\ On Mon, 16 Dec 2002, B F wrote:
Hi List, recently I did my first "real" WebApp Audit, so I´m quite new to this topic. The application in case has lot´s of XSS Vulnerabilities, but they are only accessible if you already know the SessionID of a specific user. Example https://somesite.com/bad.asp?SID=4243434234234234?ID=<xss string of choice> As you may have noticed the site is only accessible via HTTPS. So how to craft an URL which will trigger the XSS ? Don´t I have to know the SessionID first? The only thing I can think of is to exploit a client side vuln. to get the SID. Any better ideas? BF _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
Current thread:
- XSS and URL Encoded Session IDs B F (Dec 16)
- RE: XSS and URL Encoded Session IDs The Crocodile (Dec 17)
- Re: XSS and URL Encoded Session IDs Ryan Yagatich (Dec 17)
- Re: XSS and URL Encoded Session IDs Matthew Miller (Dec 17)