WebApp Sec mailing list archives
Re: Custom session tokens and XSS
From: Stephen de Vries <stephen.devries () dcode net>
Date: Wed, 13 Aug 2003 13:31:49 +0000 (GMT)
On Wed, 13 Aug 2003, Thomas Chiverton wrote:
On Wednesday 13 Aug 2003 11:23 am, Stephen de Vries wrote:Any XSS in the page, will only have access to the attackers token - which is useless from an attack point of view.But the attackers session will now be running in the victims browser, where it can steal his cookies, email or whatever.
No, he can steal his own cookie with his own session ID and his own email. How can he steal anything from the victim, if the victim is running the attackers' session? Stephen
-- Tom Chiverton (sorry 'bout sig.) Advanced ColdFusion Programmer Tel: +44(0)1749 834997 email: tom.chiverton () bluefinger com BlueFinger Limited Underwood Business Park Wookey Hole Road, WELLS. BA5 1AF Tel: +44 (0)1749 834900 Fax: +44 (0)1749 834901 web: www.bluefinger.com Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple Quay, BRISTOL. BS1 6EG. *** This E-mail contains confidential information for the addressee only. If you are not the intended recipient, please notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this e-mail until such time as a written document is signed on behalf of the company. BlueFinger Limited cannot accept responsibility for the completeness or accuracy of this message as it has been transmitted over public networks.***
Current thread:
- Custom session tokens and XSS PortSwigger (Aug 12)
- Re: Custom session tokens and XSS Marc Slemko (Aug 12)
- <Possible follow-ups>
- RE: Custom session tokens and XSS Dean Saxe (Aug 12)
- RE: Custom session tokens and XSS Rob Morhaime (Aug 12)
- RE: Custom session tokens and XSS Stephen de Vries (Aug 13)
- Re: Custom session tokens and XSS Thomas Chiverton (Aug 13)
- Re: Custom session tokens and XSS Stephen de Vries (Aug 13)
- Re: Custom session tokens and XSS Ingo Struck (Aug 13)
- Re: Custom session tokens and XSS Stephen de Vries (Aug 13)
- Re: Custom session tokens and XSS Cyrill Osterwalder (Aug 13)
- Re: Custom session tokens and XSS PortSwigger (Aug 13)
- Re: Custom session tokens and XSS Ingo Struck (Aug 14)
- Re: Custom session tokens and XSS PortSwigger (Aug 14)
- Re: Custom session tokens and XSS Ingo Struck (Aug 14)
- Re: Custom session tokens and XSS Ian (Aug 14)
- Switching off scripts Ingo Struck (Aug 14)
- RE: Custom session tokens and XSS Stephen de Vries (Aug 13)
- Re: Custom session tokens and XSS PortSwigger (Aug 14)