WebApp Sec mailing list archives
Re: Custom session tokens and XSS
From: "Ian" <webappsec () fishnet co uk>
Date: Thu, 14 Aug 2003 14:36:17 +0100
On 14 Aug 2003 at 15:00, Ingo Struck wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi...I was interested in the possibilty of hijacking an existing, already logged-in, session via XSS vulnerabilities in the situation where a hidden form field is used to transmit the token.Well, ok. Regarding existing session stealing XSS attacks, there is really no difference at all between a hidden form field and a cookie - both are equally accessible from within javascript. So if the attacker can induce any xss payload on the victim, it doesnt make much difference if you store the session token in a cookie or in a hidden form field. They can both be read by a javascript and then submitted using any common technique to a third location. This also holds true for any SID stored in the URL. Bottom line: It is equally easy / difficult for an attacker who is able to induce xss payload on the victim's browser to steal any existing SID be it stored within cookie, hidden form field or URL. (That means that you should encourage all your users to switch off all kind of scripting and don't rely on it within your apps).
That's a bit extreme. Why not just fix the XSS hole. Regards Ian --
Current thread:
- RE: Custom session tokens and XSS, (continued)
- RE: Custom session tokens and XSS Stephen de Vries (Aug 13)
- Re: Custom session tokens and XSS Thomas Chiverton (Aug 13)
- Re: Custom session tokens and XSS Stephen de Vries (Aug 13)
- Re: Custom session tokens and XSS Ingo Struck (Aug 13)
- Re: Custom session tokens and XSS Stephen de Vries (Aug 13)
- Re: Custom session tokens and XSS Cyrill Osterwalder (Aug 13)
- Re: Custom session tokens and XSS PortSwigger (Aug 13)
- Re: Custom session tokens and XSS Ingo Struck (Aug 14)
- Re: Custom session tokens and XSS PortSwigger (Aug 14)
- Re: Custom session tokens and XSS Ingo Struck (Aug 14)
- Re: Custom session tokens and XSS Ian (Aug 14)
- Switching off scripts Ingo Struck (Aug 14)
- RE: Custom session tokens and XSS Stephen de Vries (Aug 13)
- Re: Custom session tokens and XSS PortSwigger (Aug 14)
- Re: Custom session tokens and XSS Stephen de Vries (Aug 14)
- Re: Custom session tokens and XSS Ingo Struck (Aug 14)