[WEB SECURITY] Session hijacking via XSS vuln requring POST impossible?

Jeff Robertson jeff.robertson at gmail.com
Mon Dec 18 13:53:10 EST 2006


The link sent to the victim will GET an page on the attacker's site, which
will indeed not have the session cookie's from the XSS-vulnerable
application. But as soon as the attacker's site POSTS back to the vulnerable
app, the desired cookies will be available again.

Of course the victim MIGHT be less likely to follow a link to the attacker's
page, but then again if that was true why would phishing be a problem?

On 12/18/06, Holger.Peine at iese.fraunhofer.de <
Holger.Peine at iese.fraunhofer.de> wrote:
>
> Hello everyone,
>
> there was a discussion on webappsec about one year ago whether GET
> is in any substantial way more dangerous than POST; leaving aside
> issues like leaving traces in logs etc., in the particular context
> of reflected XSS (e.g. sending the victim a link containing XSS attack
> code)
> consensus seemed to be that an XSS-vulnerable page amounts to pretty
> much
> the same threat no matter whether being accessible via GET or POST, the
> reasoning being this:
>
> If the XSS-prone parameter in the application can only be accessed via
> POST (e.g. a form parameter), then the attacker, while not being able to
>
> send the victim a link that directly POSTs the XSS code to that
> parameter,
> would send a link that GETs an attacker page instead, and that page in
> turn would
> perform (by means of a small form that is automatically submitted) the
> POST to the vulnerable parameter on the target application.
>
> While the above is correct, I feel that it misses the point of many XSS
> attacks, and that is stealing the session cookie: The whole point of XSS
> is that the victim will execute the attack code in the context of the
> vulnerable web site (since only then will the code be able to access the
> session cookie with that web site). If the "poisoned" link sends the
> victim
> to an attacker page, the session cookie with the target site will not
> be sent along.
>
> So, is session hijacking in the form of stealing the victim's session
> cookie
> by means of sending them a link containing Javascript only possible if
> the
> XSS vulnerability on the target site is accessible via GET - or did I
> miss
> something here after all?
>
> Thanks in advance for your opinion,
> Holger Peine
>
> --
> Dr. Holger Peine, Security and Safety
> Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany
> Phone +49-631-6800-2134, Fax -1899 (shared)
> PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE
> 2BBB C126 A592 48EA F9F8
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061218/0fd4613e/attachment.html>


More information about the websecurity mailing list