WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cookie poisoning without XSS

From: Martin Straka <straka () websec cz>
Date: Fri, 25 Aug 2006 20:45:42 +0200 (CEST)
Hi,

On Fri, 25 Aug 2006, Smith Norton wrote:


I was reading about cookie poisoning. I want to know if there is any
way we can poision cookies if XSS vulnerability is not possible.

As far as I know, only in the presence of an XSS vulnerability,
cookies can be modified. Can anyone describe a method of cookie
poisoning even without XSS.

Small code snippets would be very helpful to me.
You can modify content of cookie if there is HTTP response splitting vulnerability in application (classic example are broken redirection scripts): 

 http://www.site.com/xxx?redirect=%0ASet-Cookie:%20cookie=value

which can result in:

| HTTP/1.1 301 Moved Permanently
| Location:
| Set-Cookie: cookie=value

http://www.webappsec.org/projects/threat/classes/http_response_splitting.shtml
http://www.owasp.org/index.php/HTTP_Response_Splitting
http://en.wikipedia.org/wiki/HTTP_response_splitting

Regards,
Martin Straka

-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan today! 

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnG
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: