RE: XSS with encrypted cookie?
From: Achim Dreyer (adreyer_at_math.uni-paderborn.de)
Date: 12/11/03
- Previous message: Paul Bakker: "RE: Cisco Catalyst 4006 CatOS Password Hash"
- In reply to: Rajesh Jose: "RE: XSS with encrypted cookie?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Dec 2003 17:55:10 +0100 (MET) To: Rajesh Jose <rajesh.jose@paladion.net>
On Thu, 11 Dec 2003, Rajesh Jose wrote:
> Hi,
>
> I didn't get "encrypted session token cookie". Normally nobody will be
> encrypting a session token. So far as the session token is strongly
> random nothing can be achieved by encrypting it.
> Or did you mean secure cookie?
> Secure cookie is a cookie which can be fetched by the server only
> through a SSL channel.
>
> In all these cases "encrypted, not-encrypted and secured" it is possible
> to fetch a cookie through XSS attack and replay the session.
>
> Replaying of session token will not possible if the application is using
> source IP for session validation.
.. unless of course when user and attacker live on the same system, which
is quite possible on any unix system or something like a citrix server
(farm).
Regards,
Achim Dreyer
-- A. Dreyer, Senior SysAdmin (UNIX&Network) / Internet Security Consultant --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Paul Bakker: "RE: Cisco Catalyst 4006 CatOS Password Hash"
- In reply to: Rajesh Jose: "RE: XSS with encrypted cookie?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
