[WEB SECURITY] Session hijacking via XSS vuln requring POST impossible?

James Landis jcl24 at cornell.edu
Mon Dec 18 13:52:24 EST 2006

No, the cookie can be stolen with XSS via POST, as well. The only required
conditions are that:

) the script runs in the context of a site with access to the cookie
(underscoring the importance of domain restrictions)
) the script has access to the cookie value (e.g. the HttpOnly flag is not
set or the browser does not respect it


On 12/18/06, Holger.Peine at iese.fraunhofer.de <
Holger.Peine at iese.fraunhofer.de> wrote:
> Hello everyone,
> there was a discussion on webappsec about one year ago whether GET
> is in any substantial way more dangerous than POST; leaving aside
> issues like leaving traces in logs etc., in the particular context
> of reflected XSS (e.g. sending the victim a link containing XSS attack
> code)
> consensus seemed to be that an XSS-vulnerable page amounts to pretty
> much
> the same threat no matter whether being accessible via GET or POST, the
> reasoning being this:
> If the XSS-prone parameter in the application can only be accessed via
> POST (e.g. a form parameter), then the attacker, while not being able to
> send the victim a link that directly POSTs the XSS code to that
> parameter,
> would send a link that GETs an attacker page instead, and that page in
> turn would
> perform (by means of a small form that is automatically submitted) the
> POST to the vulnerable parameter on the target application.
> While the above is correct, I feel that it misses the point of many XSS
> attacks, and that is stealing the session cookie: The whole point of XSS
> is that the victim will execute the attack code in the context of the
> vulnerable web site (since only then will the code be able to access the
> session cookie with that web site). If the "poisoned" link sends the
> victim
> to an attacker page, the session cookie with the target site will not
> be sent along.
> So, is session hijacking in the form of stealing the victim's session
> cookie
> by means of sending them a link containing Javascript only possible if
> the
> XSS vulnerability on the target site is accessible via GET - or did I
> miss
> something here after all?
> Thanks in advance for your opinion,
> Holger Peine
> --
> Dr. Holger Peine, Security and Safety
> Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany
> Phone +49-631-6800-2134, Fax -1899 (shared)
> PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE
> 2BBB C126 A592 48EA F9F8
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061218/e6c02bbd/attachment.html>

More information about the websecurity mailing list