WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Custom session tokens and XSS

From: Ingo Struck <ingo () ingostruck de>
Date: Wed, 13 Aug 2003 14:45:45 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi...


I think I may be misunderstanding this,  but if the attacker makes a web
request and gets a valid token, it will be a valid token for HIS session.
By creating a malicious email/web page with this token, the victim will be
opening the attackers session!

Yeah, that's exactly a successful attack!


Any XSS in the page, will only have access to the attackers token - which
is useless from an attack point of view.

This is *NOT AT ALL* useless from an attack point of view:

a) attacker creates a session token
b) attacker tricks victim to use "his" session token
c) victim logs in on this session
d) attacker has still access to the session and thus can do anything
the victim could do too.

Of course this only works, if the application does not switch session id
upon login (most don't!) and if the application does not check for equal
source IPs (most don't).
That's why it is strongly recommended at least to switch session tokens
upon login; checking source IP for subsequent requests is a nice-to-have
but may close off users who come frome providers with dynamic IP allocation.

Kind regards

Ingo

- -- 
ingo () ingostruck de
Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint
C700 9951 E759 1594 0807  5BBF 8508 AF92 19AA 3D24
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE/OjL8hQivkhmqPSQRAr6KAJ9z0lNbwutL1ba4pGpY3aEoV8OnMwCePl6k
RuthsqpwJx/GXUzAYOIOu3Y=
=NTA7
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: