Re: XSS and URL Encoded Session IDs

[Ryan Yagatich <ryany () pantek com>]

BF,
        Here's my thought on this, and though it may not be the best 
solution, it is at least _a_ solution.

Looking at this from the more objective POV, I see the 'problem' as being 
'How do I get the SessionID'. 

Well, I'm not big on the ASP/IIS side of things, but I have noticed a 
trend in a few ways of getting that information.

Q) How does the client get the SessionID?
A) The client can either get the SessionID from a cookie that is placed on 
their system (i.e. ASPSESSION='...'), or the server embeds the SID in HREF 
links on the page.

So, there are 2 places you could write code, either
A) accept the cookie, extract the SessionID
B) retrieve a URL and get the SessionID from the parsed string.

Both which would take either 2-3 different steps.

Thanks,
Ryan Yagatich
,_____________________________________________________,
\ Ryan Yagatich                     support () pantek com \
/ Pantek Incorporated                  (877) LINUX-FIX /
\ http://www.pantek.com                 (440) 519-1802 \
/                                                      /
\___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\

On Mon, 16 Dec 2002, B F wrote:

> Hi List,
>
> recently I did my first "real" WebApp Audit, so I´m quite
> new to this topic. The application in case has lot´s of
> XSS Vulnerabilities, but they are only accessible if you
> already know the SessionID of a specific user. Example
>
> https://somesite.com/bad.asp?SID=4243434234234234?ID=<xss string of choice>
>
> As you may have noticed the site is only accessible via HTTPS.
> So how to craft an URL which will trigger the XSS ? Don´t
> I have to know the SessionID first?
>
> The only thing I can think of is to exploit a client side vuln.
> to get the SID.
>
> Any better ideas?
>
> BF
>
>
>
>
>
>
> _________________________________________________________________
> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
> http://join.msn.com/?page=features/virus