Re: XSS with encrypted cookie?
Next message: Core Security Technologies: "[CORE-2003-12-05] DCE RPC Vulnerabilities New Attack Vectors Analysis"
Date: Wed, 10 Dec 2003 15:00:38 -0800
To: pire pire <pirepire69@romandie.com>, pen-test@securityfocus.com
Yes, it is possible to steal cookies with XSS by using document.cookie
regardless of what data is in the cookie (eg. the data is encrypted, or
anything else).
Usually with session tokens, any encryption is performed at the
application layer (single encryption key), and hence replaying of the
token will still work (assuming the session hasn;t expired).
dd
pire pire wrote:
> Hi,
>
> I'm wondering if it's possible via a XSS attack to steal an
> encrypted cookie (actually it's a session token)? (with some
> javascript like: document.cookie etc...)
>
> If yes, is it also possible to replay this cookie? (of course the
> session must still be valid on the server)
>
> I know it works with regular cookie.
>
> Thanks a lot for your help
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Next message: Core Security Technologies: "[CORE-2003-12-05] DCE RPC Vulnerabilities New Attack Vectors Analysis"
Relevant Pages
- Re: Best authentication methods for CGI <- PERL -> DBI
... Right now one method which seems to be really unsecured, is to take them, check them against the PW/ID stored in the database and permit/deny against that. ... The client javascript code takes the password and MD5 sums it, and sends that as the password along with the cleartext username. ... One cookie is the record id of the user in the database, ... A solution to not use https would be public key encryption. ...
(perl.dbi.users) - Re: Best authentication methods for CGI <- PERL -> DBI
... Right now one method which seems to be really unsecured, is to take them, check them against the PW/ID stored in the database and permit/deny against that. ... The client javascript code takes the password and MD5 sums it, and sends that as the password along with the cleartext username. ... One cookie is the record id of the user in the database, ... A solution to not use https would be public key encryption. ...
(perl.dbi.users) - Re: [PHP] maintaining [user] state without a session ...
... considering that before the user is going to be provided access to sensitive data that you require a password confirmation. ... So what if a malicious user uses a cookie to pretend to be a real user IF before they can get access to sensitive data they have to enter a correct password? ... For some sites this would not be an issue but due to some of the ways we use the data in that cookie I decided the cost of encrypting it against the cost of validating it and the risks involved made encryption the better option. ... Because that negates the whole point of doing it which is to reduce database access to the minimum possible. ...
(php.general) - Re: Slightly OT: encryption
... > I'm trying to setup a system of secure encryption for exchanges between ... > algorithm which works with javascript - do let me know. ... But where to store it? ... > If I put it in a secure cookie or a cookie with an obfusticated path it ...
(comp.os.linux.security) - Virtualtourist.com - XSS with cookie disclosure
... And below is our cookie data that was written out: ... (Virtual Tourist Vist=Possibly random string given to this session, ... XSS Vuln via search destination input box: ...
(Bugtraq) |
|
