Vulnerability Development mailing list archives
RE: Can you exploit this XSS?
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Fri, 21 Nov 2003 09:59:29 +0200
P.S. Thanks to Mike Brownbill for pointing out that this is "minimal risk as stealing cookies from users which aren't logged in is quite simply futile" !!!
Not so! I get your cookie, you log in on the next step, and the cookie does not change (for *MANY* applications). Now I have your cookie, and it is for an authenticated session. All it means is that you need to wait for the user to authenticate before ripping them off ;-) Simply test that they have authenticated by visiting some URL that returns different values based on an authenticated or unauthenticated cookie. Rogan Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za.
Current thread:
- Re: Can you exploit this XSS?, (continued)
- Re: Can you exploit this XSS? Robin (Nov 19)
- Re: Can you exploit this XSS? Paul Johnston (Nov 19)
- Re: Can you exploit this XSS? dd (Nov 19)
- Re: Can you exploit this XSS? Sverre H. Huseby (Nov 20)
- Re: Can you exploit this XSS? Paul Johnston (Nov 20)
- Re: Can you exploit this XSS? mark (Nov 25)
- Re: Can you exploit this XSS? Peter Pentchev (Nov 26)
- RE: Can you exploit this XSS? Scovetta, Michael V (Nov 19)
- Re: Can you exploit this XSS? Paul Johnston (Nov 19)
- RE: Can you exploit this XSS? Parity (Nov 24)
- RE: Can you exploit this XSS? Dawes, Rogan (ZA - Johannesburg) (Nov 21)
- Re: Can you exploit this XSS? Sverre H. Huseby (Nov 21)
- Re: Can you exploit this XSS? Robin (Nov 19)