[WEB SECURITY] Session hijacking via XSS vuln requring POST impossible?

Holger.Peine at iese.fraunhofer.de Holger.Peine at iese.fraunhofer.de
Mon Dec 18 05:25:06 EST 2006

Hello everyone,

there was a discussion on webappsec about one year ago whether GET
is in any substantial way more dangerous than POST; leaving aside
issues like leaving traces in logs etc., in the particular context
of reflected XSS (e.g. sending the victim a link containing XSS attack
consensus seemed to be that an XSS-vulnerable page amounts to pretty
the same threat no matter whether being accessible via GET or POST, the 
reasoning being this: 

If the XSS-prone parameter in the application can only be accessed via 
POST (e.g. a form parameter), then the attacker, while not being able to

send the victim a link that directly POSTs the XSS code to that
would send a link that GETs an attacker page instead, and that page in
turn would
perform (by means of a small form that is automatically submitted) the
POST to the vulnerable parameter on the target application.

While the above is correct, I feel that it misses the point of many XSS
attacks, and that is stealing the session cookie: The whole point of XSS
is that the victim will execute the attack code in the context of the
vulnerable web site (since only then will the code be able to access the
session cookie with that web site). If the "poisoned" link sends the
to an attacker page, the session cookie with the target site will not 
be sent along.

So, is session hijacking in the form of stealing the victim's session
by means of sending them a link containing Javascript only possible if
XSS vulnerability on the target site is accessible via GET - or did I
something here after all?

Thanks in advance for your opinion,
Holger Peine

Dr. Holger Peine, Security and Safety
Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany
Phone +49-631-6800-2134, Fax -1899 (shared)
PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE
2BBB C126 A592 48EA F9F8

The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list