[WEB SECURITY] Session hijacking via XSS vuln requring POST impossible?

Brian Eaton eaton.lists at gmail.com
Mon Dec 18 15:18:20 EST 2006


On 12/18/06, Holger.Peine at iese.fraunhofer.de
<Holger.Peine at iese.fraunhofer.de> wrote:
> The whole point of XSS
> is that the victim will execute the attack code in the context of the
> vulnerable web site (since only then will the code be able to access the
> session cookie with that web site). If the "poisoned" link sends the
> victim
> to an attacker page, the session cookie with the target site will not
> be sent along.

The attack would work like this:

1) Victim sends a GET request to the attacker's web site.
2) Attacker's web site returns an HTML page with javascript to send a
POST request to the targeted web site.
3) The POST request injects script into the targeted web site.
4) The script runs in the context of the targeted web site.

So in that sense, pages submitted with POST instead of GET are equally
vulnerable to XSS.

However, there's another aspect of the problem: how hard is it to get
the user to step 1, where they send a request to the attacker's web
site?  You somehow need to get the user to follow a link.  You could
send them an e-mail, but doing that en masse is kind of noisy.  Or you
could try to get victims to find your web page with a web search or an
advertisement, but that can be difficult or expensive.  Or you could
try to target your attack by adding links to blogs or other web pages
that potential victims might visit.

RSnake (http://ha.ckers.org) pointed out to me a few months back that
there are many web sites that will let you post <img> tags, but not
other HTML tags that browsers will follow.  As far as I know, there is
no way to make a browser send a POST request based on an <img> tag,
but you can get browsers to send arbitrary GET requests.  So it is
easier to do the targeting if your XSS exploit only requires GET.

I wouldn't suggest relying on that for security.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list