Re: Wanted script to email cookies

[auto125268 () hushmail com]

You may wanna try WebSleuth at www.owasp.org. I know the release they have going out this weekend does cross-site 
scritping. JavScript prevents an easy way to send the cookie using email (it does actually have a security model !) but 
you can call a gif on a remote server and send the cookie values in the url or many other ways. ....not 
hard....WebSleuth will also wllow you to play and change any cookie values as well and its open source so you can add 
to it...


I'm working on a pen test for a web application.  After 
the first time you successfully authenticate, the app 
stores a cookie with username and password in clear 
text.  I've recently read the archive regarding 
vulnerable IE browsers revealing cookies.  I'd like to 
go a step farther.  Does anyone have a script that will 
email the cookie?  I'd like to craft an email with a link 
and when a user clicks, it emails the cookie.  I want 
to show the client how dangerous it is to store a clear 
text cookie.  Also, any other method of cookie stealing 
would be really appreciated.  Thanks.

Joe

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/