Penetration Testing mailing list archives
RE: XSS with encrypted cookie?
From: Achim Dreyer <adreyer () math uni-paderborn de>
Date: Thu, 11 Dec 2003 17:55:10 +0100 (MET)
On Thu, 11 Dec 2003, Rajesh Jose wrote:
Hi, I didn't get "encrypted session token cookie". Normally nobody will be encrypting a session token. So far as the session token is strongly random nothing can be achieved by encrypting it. Or did you mean secure cookie? Secure cookie is a cookie which can be fetched by the server only through a SSL channel. In all these cases "encrypted, not-encrypted and secured" it is possible to fetch a cookie through XSS attack and replay the session. Replaying of session token will not possible if the application is using source IP for session validation.
.. unless of course when user and attacker live on the same system, which is quite possible on any unix system or something like a citrix server (farm). Regards, Achim Dreyer -- A. Dreyer, Senior SysAdmin (UNIX&Network) / Internet Security Consultant --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- XSS with encrypted cookie? pire pire (Dec 10)
- Re: XSS with encrypted cookie? dd (Dec 11)
- RE: XSS with encrypted cookie? Rajesh Jose (Dec 11)
- RE: XSS with encrypted cookie? Achim Dreyer (Dec 11)