WebApp Sec mailing list archives
Re: Custom session tokens and XSS
From: Ingo Struck <ingo () ingostruck de>
Date: Thu, 14 Aug 2003 17:35:07 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi...
The reason to log a session out when a bad token is received is so that if someone steals the token (somehow), then the real user's next use of their token will cause the attacker to get logged out.
Yep, of course that logging-off-the-other-one works vice versa. :o) The problem here is, that users tend to log themselves off very often if they hit the browsers "reload" button. In this case an old (thus invalid) token is submitted. I had lots of users of a real application complaining about that.
It opens a denial of service capability but closes another hole.
This is the case too for other problems too, you have to balance reasons for the security measures you take. But maybe you're right: The nuisance of being logged off unintentionally may outweigh the risk of having some transaction tokens stolen. Kind regards Ingo - -- ingo () ingostruck de Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint C700 9951 E759 1594 0807 5BBF 8508 AF92 19AA 3D24 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE/O6wvhQivkhmqPSQRApf+AKCK21BH1VBO6b8ltRnmxQg+7+sUHwCglRNQ Ia/bnmLBG6zSPMgU7wCKXxo= =gVXq -----END PGP SIGNATURE-----
Current thread:
- Re: Custom session tokens and XSS, (continued)
- Re: Custom session tokens and XSS PortSwigger (Aug 13)
- Re: Custom session tokens and XSS Ingo Struck (Aug 14)
- Re: Custom session tokens and XSS PortSwigger (Aug 14)
- Re: Custom session tokens and XSS Ingo Struck (Aug 14)
- Re: Custom session tokens and XSS Ian (Aug 14)
- Switching off scripts Ingo Struck (Aug 14)
- Re: Custom session tokens and XSS PortSwigger (Aug 14)
- Re: Custom session tokens and XSS Stephen de Vries (Aug 14)
- Re: Custom session tokens and XSS Ingo Struck (Aug 14)