WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Custom session tokens and XSS

From: Stephen de Vries <stephen.devries () dcode net>
Date: Wed, 13 Aug 2003 13:31:49 +0000 (GMT)

On Wed, 13 Aug 2003, Thomas Chiverton wrote:


On Wednesday 13 Aug 2003 11:23 am, Stephen de Vries wrote:

Any XSS in the page, will only have access to the attackers token - which
is useless from an attack point of view.


But the attackers session will now be running in the victims browser, where it
can steal his cookies, email or whatever.


No, he can steal his own cookie with his own session ID and his own email.
How can he steal anything from the victim, if the victim is running the
attackers' session?

Stephen




--
Tom Chiverton (sorry 'bout sig.)
Advanced ColdFusion Programmer

Tel: +44(0)1749 834997
email: tom.chiverton () bluefinger com
BlueFinger Limited
Underwood Business Park
Wookey Hole Road, WELLS. BA5 1AF
Tel: +44 (0)1749 834900
Fax: +44 (0)1749 834901
web: www.bluefinger.com
Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple
Quay, BRISTOL. BS1 6EG.
*** This E-mail contains confidential information for the addressee
only. If you are not the intended recipient, please notify us
immediately. You should not use, disclose, distribute or copy this
communication if received in error. No binding contract will result from
this e-mail until such time as a written document is signed on behalf of
the company. BlueFinger Limited cannot accept responsibility for the
completeness or accuracy of this message as it has been transmitted over
public networks.***
Previous By Date Next
Previous By Thread Next

Current thread: