WebApp Sec mailing list archives
Re: Custom session tokens and XSS
From: Ingo Struck <ingo () ingostruck de>
Date: Thu, 14 Aug 2003 15:00:50 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi...
I was interested in the possibilty of hijacking an existing, already logged-in, session via XSS vulnerabilities in the situation where a hidden form field is used to transmit the token.
Well, ok. Regarding existing session stealing XSS attacks, there is really no difference at all between a hidden form field and a cookie - both are equally accessible from within javascript. So if the attacker can induce any xss payload on the victim, it doesnt make much difference if you store the session token in a cookie or in a hidden form field. They can both be read by a javascript and then submitted using any common technique to a third location. This also holds true for any SID stored in the URL. Bottom line: It is equally easy / difficult for an attacker who is able to induce xss payload on the victim's browser to steal any existing SID be it stored within cookie, hidden form field or URL. (That means that you should encourage all your users to switch off all kind of scripting and don't rely on it within your apps). Kind regards Ingo - -- ingo () ingostruck de Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint C700 9951 E759 1594 0807 5BBF 8508 AF92 19AA 3D24 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE/O4gGhQivkhmqPSQRAqQJAJ92JRCckSYBgMCdprBC0ldIK2ya8wCdGNwQ QEEy9zOu2mQisJfrGnkQhvg= =ZMEC -----END PGP SIGNATURE-----
Current thread:
- RE: Custom session tokens and XSS, (continued)
- RE: Custom session tokens and XSS Rob Morhaime (Aug 12)
- RE: Custom session tokens and XSS Stephen de Vries (Aug 13)
- Re: Custom session tokens and XSS Thomas Chiverton (Aug 13)
- Re: Custom session tokens and XSS Stephen de Vries (Aug 13)
- Re: Custom session tokens and XSS Ingo Struck (Aug 13)
- Re: Custom session tokens and XSS Stephen de Vries (Aug 13)
- Re: Custom session tokens and XSS Cyrill Osterwalder (Aug 13)
- Re: Custom session tokens and XSS PortSwigger (Aug 13)
- Re: Custom session tokens and XSS Ingo Struck (Aug 14)
- Re: Custom session tokens and XSS PortSwigger (Aug 14)
- Re: Custom session tokens and XSS Ingo Struck (Aug 14)
- Re: Custom session tokens and XSS Ian (Aug 14)
- Switching off scripts Ingo Struck (Aug 14)
- RE: Custom session tokens and XSS Stephen de Vries (Aug 13)
- Re: Custom session tokens and XSS PortSwigger (Aug 14)
- Re: Custom session tokens and XSS Stephen de Vries (Aug 14)
- RE: Custom session tokens and XSS Rob Morhaime (Aug 12)
- Re: Custom session tokens and XSS Ingo Struck (Aug 14)