Penetration Testing mailing list archives

RE: XSS with encrypted cookie?

From: Achim Dreyer <adreyer () math uni-paderborn de>
Date: Thu, 11 Dec 2003 17:55:10 +0100 (MET)

On Thu, 11 Dec 2003, Rajesh Jose wrote:

Hi,

I didn't get "encrypted session token cookie". Normally nobody will be
encrypting a session token. So far as the session token is strongly
random nothing can be achieved by encrypting it.
Or did you mean secure cookie? 
Secure cookie is a cookie which can be fetched by the server only
through a SSL channel.

In all these cases "encrypted, not-encrypted and secured" it is possible
to fetch a cookie through XSS attack and replay the session. 

Replaying of session token will not possible if the application is using
source IP for session validation.


.. unless of course when user and attacker live on the same system, which
is quite possible on any unix system or something like a citrix server 
(farm). 




Regards,
Achim Dreyer
--
A. Dreyer, Senior SysAdmin (UNIX&Network) / Internet Security Consultant


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

XSS with encrypted cookie? pire pire (Dec 10)
- Re: XSS with encrypted cookie? dd (Dec 11)
- RE: XSS with encrypted cookie? Rajesh Jose (Dec 11)
  - RE: XSS with encrypted cookie? Achim Dreyer (Dec 11)