Re: Custom session tokens and XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi...

> I was interested in the possibilty of hijacking an existing,
Well, ok.
Regarding existing session stealing XSS attacks, there is really no difference at all between a hidden form field and a cookie - both are equally accessible from within javascript. So if the attacker can induce any xss payload on the victim, it doesnt make much difference if you store the session token in a cookie or in a hidden form field. They can both be read by a javascript and then submitted using any common technique to a third location. This also holds true for any SID stored in the URL.

Bottom line:
It is equally easy / difficult for an attacker who is able to induce xss payload on the victim's browser to steal any existing SID be it stored within cookie, hidden form field or URL.

(That means that you should encourage all your users to switch off all kind of scripting and don't rely on it within your apps).

Kind regards

Ingo

• -- ingo@ingostruck.de Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint C700 9951 E759 1594 0807 5BBF 8508 AF92 19AA 3D24 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE/O4gGhQivkhmqPSQRAqQJAJ92JRCckSYBgMCdprBC0ldIK2ya8wCdGNwQ QEEy9zOu2mQisJfrGnkQhvg=
=ZMEC
-----END PGP SIGNATURE----- Received on Thu Aug 14 09:27:52 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek