Penetration Testing mailing list archives
RE: XSS with encrypted cookie?
From: "Rajesh Jose" <rajesh.jose () paladion net>
Date: Thu, 11 Dec 2003 15:24:21 +0530
Hi, I didn't get "encrypted session token cookie". Normally nobody will be encrypting a session token. So far as the session token is strongly random nothing can be achieved by encrypting it. Or did you mean secure cookie? Secure cookie is a cookie which can be fetched by the server only through a SSL channel. In all these cases "encrypted, not-encrypted and secured" it is possible to fetch a cookie through XSS attack and replay the session. Replaying of session token will not possible if the application is using source IP for session validation. Cheers, Rajesh -----Original Message----- From: pire pire [mailto:pirepire69 () romandie com] Sent: Wednesday, December 10, 2003 1:14 PM To: pen-test () securityfocus com Subject: XSS with encrypted cookie? Hi, I'm wondering if it's possible via a XSS attack to steal an encrypted cookie (actually it's a session token)? (with some javascript like: document.cookie etc...) If yes, is it also possible to replay this cookie? (of course the session must still be valid on the server) I know it works with regular cookie. Thanks a lot for your help _______________________________________________ La messagerie gratuite des romands : 10 MO !!! Profitez-en ! >>> http://www.romandie.com ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- XSS with encrypted cookie? pire pire (Dec 10)
- Re: XSS with encrypted cookie? dd (Dec 11)
- RE: XSS with encrypted cookie? Rajesh Jose (Dec 11)
- RE: XSS with encrypted cookie? Achim Dreyer (Dec 11)