Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: XSS with encrypted cookie?
From: dd <dd () ghettohackers net>
Date: Wed, 10 Dec 2003 15:00:38 -0800

Yes, it is possible to steal cookies with XSS by using document.cookie regardless of what data is in the cookie (eg. the data is encrypted, or anything else).

Usually with session tokens, any encryption is performed at the application layer (single encryption key), and hence replaying of the token will still work (assuming the session hasn;t expired).

dd

pire pire wrote:
Hi,

I'm wondering if it's possible via a XSS attack to steal an encrypted cookie (actually it's a session token)? (with some javascript like: document.cookie etc...)

If yes, is it also possible to replay this cookie? (of course the session must still be valid on the server)

I know it works with regular cookie.
Thanks a lot for your help



---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault