Re: Custom session tokens and XSS

[Thomas Chiverton <thomas.chiverton () bluefinger com>]

On Wednesday 13 Aug 2003 11:23 am, Stephen de Vries wrote:
> I think I may be misunderstanding this,  but if the attacker makes a web
> request and gets a valid token, it will be a valid token for HIS session.
> By creating a malicious email/web page with this token, the victim will be
> opening the attackers session!
> Any XSS in the page, will only have access to the attackers token - which
> is useless from an attack point of view.

But the attackers session will now be running in the victims browser, where it 
can steal his cookies, email or whatever.

-- 
Tom Chiverton (sorry 'bout sig.)
Advanced ColdFusion Programmer

Tel: +44(0)1749 834997
email: tom.chiverton () bluefinger com
BlueFinger Limited
Underwood Business Park
Wookey Hole Road, WELLS. BA5 1AF
Tel: +44 (0)1749 834900
Fax: +44 (0)1749 834901
web: www.bluefinger.com
Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple
Quay, BRISTOL. BS1 6EG.
*** This E-mail contains confidential information for the addressee
only. If you are not the intended recipient, please notify us
immediately. You should not use, disclose, distribute or copy this
communication if received in error. No binding contract will result from
this e-mail until such time as a written document is signed on behalf of
the company. BlueFinger Limited cannot accept responsibility for the
completeness or accuracy of this message as it has been transmitted over
public networks.***