Hosting Provided By

Re: Custom session tokens and XSS

From: Ingo Struck <ingo(at)ingostruck.de>
Date: Thu Aug 14 2003 - 04:52:21 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi...

Well, maybe it's a problem of terminology... ;o) You talk of a
"custom session token in a hidden form field". - From that I would conclude that this token remains constant over the complete session. If it is like that, i.e. constant, then it makes no difference if you submit the session id (SID) with hidden form fields or any other mechanism. If the victim gets tricked into logging in on that SID (be it with a scripted POST request or not), then the attacker has effectively exactly the same chance to do whatever he wants with that SID.

From what you write further on, I conclude that you're talking of a "transaction token" that changes on a per-request basis rather than a "session token". If you meant that, then you're of course right: Even if you trick somebody to login with a valid transaction token, then that token changes with the next response / request cycle and the attacker has no clue about that next token. Implementing that is a good thing against the simple "session foisting", but still open to mitm attacks.

You say, that if the request does not contain a valid transaction token, then the user is passed to the login page (which implies that the old session will be invalidated). I wouldn't implement it like that but rather pass a 403 back. Logging off the user on invalid requests opens up the chance for attackers to log off other users with invalid requests. You should rather simply drop illegal requests

Kind regards

Ingo

-- ingo@ingostruck.de Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint C700 9951 E759 1594 0807 5BBF 8508 AF92 19AA 3D24
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE/O03JhQivkhmqPSQRAv6NAKDN0qSyDlRyA8bjZneaMObQYFMCjgCg1mGo xjv8tgPZKGkLsszXNIVyQiw=
=LmVX
-----END PGP SIGNATURE-----
Received on Thu Aug 14 07:20:26 2003

Do you need help?

This message: [ Message body ]
Next message: PortSwigger: "Re: Custom session tokens and XSS"
Previous message: Kevin Spett: "Re: DB2 and Oracle with SQL injection"
In reply to: PortSwigger: "Re: Custom session tokens and XSS"
In reply to cc_mofo(at)hushmail.com: "IIS 5.0 with Integrated Window Authentication"
Next in thread: PortSwigger: "Re: Custom session tokens and XSS"
Reply: PortSwigger: "Re: Custom session tokens and XSS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:54 EDT