Vulnerability Development mailing list archives

Re: Can you exploit this XSS?

From: "Sverre H. Huseby" <shh () thathost com>
Date: Fri, 21 Nov 2003 21:04:25 +0100

[Dawes, Rogan]

|   I get your cookie, you log in on the next step, and the cookie
|   does not change (for *MANY* applications). Now I have your cookie,
|   and it is for an authenticated session.
                                    v
For much more on this, see Mitja Kolsek's nice paper kalled "Session
Fixation Vulnerability in Web-based Applications" at

    http://www.acros.si/papers/session_fixation.pdf


Sverre.

-- 
shh () thathost com
http://shh.thathost.com/

Current thread:

Re: Can you exploit this XSS?, (continued)
- - Re: Can you exploit this XSS? Paul Johnston (Nov 19)
- Re: Can you exploit this XSS? dd (Nov 19)
  - Re: Can you exploit this XSS? Sverre H. Huseby (Nov 20)
  - Re: Can you exploit this XSS? Paul Johnston (Nov 20)
- Re: Can you exploit this XSS? mark (Nov 25)
  - Re: Can you exploit this XSS? Peter Pentchev (Nov 26)
- RE: Can you exploit this XSS? Scovetta, Michael V (Nov 19)
  - Re: Can you exploit this XSS? Paul Johnston (Nov 19)
  - RE: Can you exploit this XSS? Parity (Nov 24)
- RE: Can you exploit this XSS? Dawes, Rogan (ZA - Johannesburg) (Nov 21)
  - Re: Can you exploit this XSS? Sverre H. Huseby (Nov 21)