RE: Cookie poisoning without XSS

["Richard M. Smith" <rms () computerbytesman com>]

A cookie can be changed by a program that runs on a client's computer and
modifies a cookie file.  A HTTP proxy server can also modify cookie values
in transit.  An IE BHO or toolbar can also change a cookie value via the
DOM.  HTML applications can change a cookie value via the DOM too.

Richard

-----Original Message-----
From: Smith Norton [mailto:smith.norton () gmail com] 
Sent: Friday, August 25, 2006 10:17 AM
To: webappsec () securityfocus com
Subject: Cookie poisoning without XSS

I was reading about cookie poisoning. I want to know if there is any way we
can poision cookies if XSS vulnerability is not possible.

As far as I know, only in the presence of an XSS vulnerability, cookies can
be modified. Can anyone describe a method of cookie poisoning even without
XSS.

Small code snippets would be very helpful to me.

Smith

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself. 
Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnG
--------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnG
--------------------------------------------------------------------------