Hosting Provided By

Re: Custom session tokens and XSS

From: PortSwigger <mail(at)portswigger.net>
Date: Thu Aug 14 2003 - 08:25:55 EDT

Hi -- it was the constant type of token that I had in mind.

But your session fixation attack isn't what I was interested in -- I presume it could be stopped in the usual way by issuing a fresh token on each login. I was interested in the possibilty of hijacking an existing, already logged-in, session via XSS vulnerabilities in the situation where a hidden form field is used to transmit the token. Standard attacks like giving the user a crafted URL don't work, as their request won't contain their token and so they effectively leave their prior session (in contrast to what happens with cookies). The "fixation" issue arose as a way to frame a valid request which, when made by the user, would succeed in injecting the XSS payload into their browser (and avoid bouncing back to login). But again here, the user will leave their prior session and join the attacker's -- whilst the attacker will be able to inject his payload (which is bad) he won't be able to straightforwardly steal the user's prior (now abandoned) token.

Cheers,
PortSwigger

On Thursday 14 August 2003 09:52, Ingo Struck wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
Received on Thu Aug 14 08:52:48 2003

This message: [ Message body ]
Next message: Ingo Struck: "Re: Custom session tokens and XSS"
In reply to Ingo Struck: "Re: Custom session tokens and XSS"
Next in thread: Ingo Struck: "Re: Custom session tokens and XSS"
Reply: Ingo Struck: "Re: Custom session tokens and XSS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:54 EDT