WebApp Sec mailing list archives

Re: Custom session tokens and XSS

From: Stephen de Vries <stephen.devries () dcode net>
Date: Wed, 13 Aug 2003 13:06:03 +0000 (GMT)


On Wed, 13 Aug 2003, Ingo Struck wrote:

By creating a malicious email/web page with this token, the victim will be
opening the attackers session!

Yeah, that's exactly a successful attack!


Not really, because the attacker has not stolen the victims session, all
he has done (as you state below) is that the attacker is running the
attackers session, in the victims browser.  All other XSS attacks apply,
but not stealing the session.

This is *NOT AT ALL* useless from an attack point of view:

a) attacker creates a session token
b) attacker tricks victim to use "his" session token
c) victim logs in on this session
d) attacker has still access to the session and thus can do anything
the victim could do too.


I understand a-d, but I still don't see how the attacker is going to steal
the victims session token.
Let's say this is a banking application.  The procedure you've described
above will allow the _victim_ to transfer funds from the attackers
session, since the only valid session token is the attackers.
At point d, the victim is now running the attackers session (with the
attackers token) in his browser.  How does the attacker get the victim to
regenerate another session token, this time for their own (ie.
victims) session and still have the ability of stealing this token?


Stephen


Of course this only works, if the application does not switch session id
upon login (most don't!) and if the application does not check for equal
source IPs (most don't).
That's why it is strongly recommended at least to switch session tokens
upon login; checking source IP for subsequent requests is a nice-to-have
but may close off users who come frome providers with dynamic IP allocation.

Kind regards

Ingo

- --
ingo () ingostruck de
Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint
C700 9951 E759 1594 0807  5BBF 8508 AF92 19AA 3D24
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE/OjL8hQivkhmqPSQRAr6KAJ9z0lNbwutL1ba4pGpY3aEoV8OnMwCePl6k
RuthsqpwJx/GXUzAYOIOu3Y=
=NTA7
-----END PGP SIGNATURE-----

Current thread:

Custom session tokens and XSS PortSwigger (Aug 12)
- Re: Custom session tokens and XSS Marc Slemko (Aug 12)
- <Possible follow-ups>
- RE: Custom session tokens and XSS Dean Saxe (Aug 12)
- RE: Custom session tokens and XSS Rob Morhaime (Aug 12)
  - RE: Custom session tokens and XSS Stephen de Vries (Aug 13)
    - Re: Custom session tokens and XSS Thomas Chiverton (Aug 13)
    - Re: Custom session tokens and XSS Stephen de Vries (Aug 13)
    - Re: Custom session tokens and XSS Ingo Struck (Aug 13)
    - Re: Custom session tokens and XSS Stephen de Vries (Aug 13)
    - Re: Custom session tokens and XSS Cyrill Osterwalder (Aug 13)
    - Re: Custom session tokens and XSS PortSwigger (Aug 13)
    - Re: Custom session tokens and XSS Ingo Struck (Aug 14)
    - Re: Custom session tokens and XSS PortSwigger (Aug 14)
    - Re: Custom session tokens and XSS Ingo Struck (Aug 14)
    - Re: Custom session tokens and XSS Ian (Aug 14)
    - Switching off scripts Ingo Struck (Aug 14)
    - Re: Custom session tokens and XSS PortSwigger (Aug 14)
    - Re: Custom session tokens and XSS Stephen de Vries (Aug 14)
  - Re: Custom session tokens and XSS dafydd (Aug 13)

(Thread continues...)