Re: Wanted script to email cookies
From: auto125268@hushmail.comDate: 11/30/01
- Previous message: Kevin Spett: "Re: JET sql help please anyone"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200111301953.fAUJrnH39841@mailserver2a.hushmail.com> From: auto125268@hushmail.com To: pen-test@securityfocus.com Subject: Re: Wanted script to email cookies Date: Fri, 30 Nov 2001 11:53:49 -0800
You may wanna try WebSleuth at www.owasp.org. I know the release they have going out this weekend does cross-site scritping. JavScript prevents an easy way to send the cookie using email (it does actually have a security model !) but you can call a gif on a remote server and send the cookie values in the url or many other ways. ....not hard....WebSleuth will also wllow you to play and change any cookie values as well and its open source so you can add to it...
I'm working on a pen test for a web application. After
the first time you successfully authenticate, the app
stores a cookie with username and password in clear
text. I've recently read the archive regarding
vulnerable IE browsers revealing cookies. I'd like to
go a step farther. Does anyone have a script that will
email the cookie? I'd like to craft an email with a link
and when a user clicks, it emails the cookie. I want
to show the client how dangerous it is to store a clear
text cookie. Also, any other method of cookie stealing
would be really appreciated. Thanks.
Joe
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Kevin Spett: "Re: JET sql help please anyone"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
