WebApp Sec mailing list archives
Re: Cookie poisoning without XSS
From: "Matteo Meucci" <matteo.meucci () gmail com>
Date: Mon, 4 Sep 2006 14:58:27 +0200
Hi Smith, take a look at the OWASP Testing Guide, in particular you can point to this URL: http://www.owasp.org/index.php/How_to_perform_cookie_manipulation_test Mat -- Matteo Meucci OWASP-Italy Chair, CISSP, CISA site: http://www.owasp.org/index.php/Italy mail: matteo.meucci () owasp org ml: http://lists.owasp.org/mailman/listinfo/owasp-italy On 8/25/06, Smith Norton <smith.norton () gmail com> wrote:
I was reading about cookie poisoning. I want to know if there is any way we can poision cookies if XSS vulnerability is not possible. As far as I know, only in the presence of an XSS vulnerability, cookies can be modified. Can anyone describe a method of cookie poisoning even without XSS. Small code snippets would be very helpful to me. Smith ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnG --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: WatchfireAs web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- Cookie poisoning without XSS Smith Norton (Aug 25)
- Re: Cookie poisoning without XSS Martin Straka (Aug 25)
- Re: Cookie poisoning without XSS Dr HenDre (Aug 25)
- RE: Cookie poisoning without XSS Richard M. Smith (Aug 25)
- RE: Cookie poisoning without XSS Richard M. Smith (Aug 25)
- Re: Cookie poisoning without XSS Kanatoko (Aug 30)
- Re: Cookie poisoning without XSS Matteo Meucci (Sep 06)
- <Possible follow-ups>
- RE: Cookie poisoning without XSS Ory Segal (Aug 25)