Re: Custom session tokens and XSS

[Ingo Struck <ingo () ingostruck de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi...

> I was interested in the possibilty of hijacking an existing,
> already logged-in, session via XSS vulnerabilities in the situation where a
> hidden form field is used to transmit the token.
Well, ok.
Regarding existing session stealing XSS attacks, there is really no difference 
at all between a hidden form field and a cookie - both are equally accessible
from within javascript. So if the attacker can induce any xss payload on the
victim, it doesnt make much difference if you store the session token in a 
cookie or in a hidden form field. They can both be read by a javascript and
then submitted using any common technique to a third location.
This also holds true for any SID stored in the URL.

Bottom line:
It is equally easy / difficult for an attacker who is able to induce xss 
payload on the victim's browser to steal any existing SID be it stored
within cookie, hidden form field or URL.

(That means that you should encourage all your users to switch off all kind of 
scripting and don't rely on it within your apps).

Kind regards

Ingo

- -- 
ingo () ingostruck de
Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint
C700 9951 E759 1594 0807  5BBF 8508 AF92 19AA 3D24
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE/O4gGhQivkhmqPSQRAqQJAJ92JRCckSYBgMCdprBC0ldIK2ya8wCdGNwQ
QEEy9zOu2mQisJfrGnkQhvg=
=ZMEC
-----END PGP SIGNATURE-----