WebApp Sec mailing list archives

Re: Custom session tokens and XSS

From: Marc Slemko <marcs () znep com>
Date: Tue, 12 Aug 2003 15:17:12 -0700 (PDT)

On Tue, 12 Aug 2003, PortSwigger wrote:

I have recently looked at a web application which maintains session state
using a custom token stored in a hidden form field. Each page within the
application is accessed using a POST request which includes the token.

Several locations within the authenticated areas of the application exhibited
XSS-like behaviour (i.e. client data submitted in form and URL querystring
fields is returned unsanitised to the browser). However (as far as I could
see) there was no way to exploit this to attack other users. Any request not
containing a valid session token results in a redirect to the login page. And
so assuming that only the user knows their own session token, only they could
frame a malicious request that would succeed in injecting arbitrary
HTML/JavaScript into their browser.


...as long as there is no way for another page to get a javascript or
vbscript etc. reference to that window, since it could then read
the contents and take the token and do what it wants with it.

Current thread:

Custom session tokens and XSS PortSwigger (Aug 12)
- Re: Custom session tokens and XSS Marc Slemko (Aug 12)
- <Possible follow-ups>
- RE: Custom session tokens and XSS Dean Saxe (Aug 12)
- RE: Custom session tokens and XSS Rob Morhaime (Aug 12)
  - RE: Custom session tokens and XSS Stephen de Vries (Aug 13)
    - Re: Custom session tokens and XSS Thomas Chiverton (Aug 13)
    - Re: Custom session tokens and XSS Stephen de Vries (Aug 13)
    - Re: Custom session tokens and XSS Ingo Struck (Aug 13)
    - Re: Custom session tokens and XSS Stephen de Vries (Aug 13)
    - Re: Custom session tokens and XSS Cyrill Osterwalder (Aug 13)
    - Re: Custom session tokens and XSS PortSwigger (Aug 13)
    - Re: Custom session tokens and XSS Ingo Struck (Aug 14)

(Thread continues...)