Pantek Library

Hosting Provided By

CybrHost

High Speed Hosting

RE: Custom session tokens and XSS

From: Stephen de Vries <stephen.devries(at)dcode.net>
Date: Wed Aug 13 2003 - 06:23:26 EDT

I think I may be misunderstanding this, but if the attacker makes a web request and gets a valid token, it will be a valid token for HIS session. By creating a malicious email/web page with this token, the victim will be opening the attackers session!
Any XSS in the page, will only have access to the attackers token - which is useless from an attack point of view.

Stephen de Vries

On Tue, 12 Aug 2003, Rob Morhaime wrote:

> I do believe this setup would be vulnerable to a "session fixation" attack, as
Received on Wed Aug 13 07:14:46 2003

This message: [ Message body ]
Next message: dafydd: "Re: Custom session tokens and XSS"
Previous message: Marc Slemko: "Re: Custom session tokens and XSS"
In reply to Rob Morhaime: "RE: Custom session tokens and XSS"
Next in thread: Thomas Chiverton: "Re: Custom session tokens and XSS"
Reply: Thomas Chiverton: "Re: Custom session tokens and XSS"
Reply: Ingo Struck: "Re: Custom session tokens and XSS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:54 EDT

Contact Us Legal Notices Order Services Online
Pantek Home Privacy Policy IT news Site Map Pantek Library