Re: Custom session tokens and XSS

["Ian" <webappsec () fishnet co uk>]

On 14 Aug 2003 at 15:00, Ingo Struck wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi...
>
> > I was interested in the possibilty of hijacking an existing,
> > already logged-in, session via XSS vulnerabilities in the situation where a
> > hidden form field is used to transmit the token.
> Well, ok.
> Regarding existing session stealing XSS attacks, there is really no difference 
> at all between a hidden form field and a cookie - both are equally accessible
> from within javascript. So if the attacker can induce any xss payload on the
> victim, it doesnt make much difference if you store the session token in a 
> cookie or in a hidden form field. They can both be read by a javascript and
> then submitted using any common technique to a third location.
> This also holds true for any SID stored in the URL.
>
> Bottom line:
> It is equally easy / difficult for an attacker who is able to induce xss 
> payload on the victim's browser to steal any existing SID be it stored
> within cookie, hidden form field or URL.
>
> (That means that you should encourage all your users to switch off all kind of 
> scripting and don't rely on it within your apps).

That's a bit extreme.  Why not just fix the XSS hole.

Regards

Ian
--