Vulnerability Development mailing list archives

RE: CSS, CSS & let me give you some more CSS

From: "Obscure" <obscure () eyeonsecurity net>
Date: Fri, 1 Feb 2002 00:44:53 +0100

1. You can grab a session cookie which can give you a hijacked login.
Obviously not good but also not that easy to implement as it needs quite
precise timing. Also the rightful session owner (even if unsophisticated
user) is immediately going to notice something funny is happening when his
or her genuine session blows away.


Precise timing is not a problem. It is very easy to implement a CGI script
that
grabs the session cookie, and immediately uses it to access the victim's
account
and do some action on him behalf - such as read e-mails if we're talking
about
a Web-mail application.

Also, the session owner will probably never notice - while doing research
about
a CSS exploit in Passport/Hotmail I noticed that the original session does
not
"blow up" - and it shouldn't "blow up" unless there is checking for the
original IP
address - which most Web applications don't.

I wouldn't under-estimate Cross-Site scripting if I were you ;)

ref: http://eyeonsecurity.net/papers/passporthijack.html

-Obs



-----Original Message-----
From: Joe Harrison [mailto:list-general () ntlworld com]
Sent: 31 January 2002 21:10
To: Securityfocus-Vulndev
Subject: RE: CSS, CSS & let me give you some more CSS


I can't help feel the importance of these cross-site-scripting attacks is
over-emphasised.

1. You can grab a session cookie which can give you a hijacked login.
Obviously not good but also not that easy to implement as it needs quite
precise timing. Also the rightful session owner (even if unsophisticated
user) is immediately going to notice something funny is happening when his
or her genuine session blows away.

2. Gives increased scope to effect script attacks against known holes,
by-passing "security zone" protections in IE. Hmm well OK, there may be a
few people who fit into profile of "savvy enough to manage sites and zones,
but who don't install MS browser patches."

Is there anything else, I don't think so. I'm not saying the problem doesn't
exist and can't be exploited, only that maybe it doesn't rate so much heat
and light compared to many more obvious risks.

Current thread:

RE: CSS, CSS & let me give you some more CSS Obscure (Jan 31)
- <Possible follow-ups>
- RE: CSS, CSS & let me give you some more CSS info (Feb 01)
  - Re: CSS, CSS & let me give you some more CSS Bill Pennington (Feb 01)
- Re: CSS, CSS & let me give you some more CSS E M (Feb 01)
  - Re: CSS, CSS & let me give you some more CSS Sverre H. Huseby (Feb 01)
  - New thoughts on CSS Brett Moore (Feb 01)
    - RE: New thoughts on CSS Matt Dickinson (Feb 01)
    - RE: New thoughts on CSS jon schatz (Feb 01)
    - Re: New thoughts on CSS Blue Boar (Feb 01)
    - Re: New thoughts on CSS Jonas M Luster (Feb 03)
    - RE: New thoughts on CSS other (Feb 02)

(Thread continues...)