Home page logo

pen-test logo Penetration Testing mailing list archives

RE: XSS with encrypted cookie?
From: Achim Dreyer <adreyer () math uni-paderborn de>
Date: Thu, 11 Dec 2003 17:55:10 +0100 (MET)

On Thu, 11 Dec 2003, Rajesh Jose wrote:


I didn't get "encrypted session token cookie". Normally nobody will be
encrypting a session token. So far as the session token is strongly
random nothing can be achieved by encrypting it.
Or did you mean secure cookie? 
Secure cookie is a cookie which can be fetched by the server only
through a SSL channel.

In all these cases "encrypted, not-encrypted and secured" it is possible
to fetch a cookie through XSS attack and replay the session. 

Replaying of session token will not possible if the application is using
source IP for session validation.

.. unless of course when user and attacker live on the same system, which
is quite possible on any unix system or something like a citrix server 

Achim Dreyer
A. Dreyer, Senior SysAdmin (UNIX&Network) / Internet Security Consultant


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]