RE: XSS with encrypted cookie?

From: Rajesh Jose (rajesh.jose_at_paladion.net)
Date: 12/11/03

  • Next message: Dave Piscitello: "Re: System Security Audits"
    To: "'pire pire'" <pirepire69@romandie.com>, <pen-test@securityfocus.com>
    Date: Thu, 11 Dec 2003 15:24:21 +0530
    
    

    Hi,

    I didn't get "encrypted session token cookie". Normally nobody will be
    encrypting a session token. So far as the session token is strongly
    random nothing can be achieved by encrypting it.
    Or did you mean secure cookie?
    Secure cookie is a cookie which can be fetched by the server only
    through a SSL channel.

    In all these cases "encrypted, not-encrypted and secured" it is possible
    to fetch a cookie through XSS attack and replay the session.

    Replaying of session token will not possible if the application is using
    source IP for session validation.

    Cheers,
    Rajesh

    -----Original Message-----
    From: pire pire [mailto:pirepire69@romandie.com]
    Sent: Wednesday, December 10, 2003 1:14 PM
    To: pen-test@securityfocus.com
    Subject: XSS with encrypted cookie?

    Hi,

    I'm wondering if it's possible via a XSS attack to steal an
    encrypted cookie (actually it's a session token)? (with some
    javascript like: document.cookie etc...)

    If yes, is it also possible to replay this cookie? (of course the
    session must still be valid on the server)

    I know it works with regular cookie.

    Thanks a lot for your help

    _______________________________________________

    La messagerie gratuite des romands : 10 MO !!!
    Profitez-en ! >>> http://www.romandie.com

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Dave Piscitello: "Re: System Security Audits"

    Relevant Pages

    • Re: How to use SSL for login page only
      ... I get why constantly encrypting the cookie is important because you don't ... that folder that it always requires SSL and then putting allo f the sensitive ... "Joe Kaplan" wrote: ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Does My Auto Login Strategy Make Sense?
      ... If the cookie is stolen, the attacker will be able to log. ... I'm planning on encrypting the password and ... Because the TextMode is Password, I can't figure out a way ... I'd like to just assign the stored password to the field. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Site Security - Best Practises
      ... particulary user site role data. ... realised that if i copy the encrypted role data from one cookie and paste it ... Given i can copy paste the site role ... i dont see the point in encrypting it in the first ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Roles in encrypted cookie, security problem?
      ... The decryption with which you are concerned is generally not a very big ... worry (assuming you are actually encrypting as per the protection level ... cookie would be another easily configurable protective mechanism. ... Another type of protection would be to require some form of additional ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: PHP & SSL for secure cookies
      ... Fu's cookie protocol is vulnerable to replay attacks, ... client stores a cookie in his hard disk, an attacker may steal it ... same SSL session key, and then obtains the SSL session key using ...
      (comp.lang.php)