On Mon, September 29, 2003 1at 2:34 pm, Shapira, Yoav sent the following > > Howdy, > This is interesting, hopefully you won't mind educating me a bit > further...
Not at all, but keep in mind I haven't studied all that much myself... ;-) >>> - Is it really a vulnerability? What can you get from this > "exploit"? >> >>You can hijack the user's session or steal information from a user's >>cookie pretty easily with a XSS flaw such as this one. > > How would you "hijack" the user's session? By that do you mean just > getting the session ID from the JSESSION cookie on the user's > hard-drive? Once you are able to insert arbritrary Javascript into a page, you could use that power to submit a request to your own website with the JSESSION cookie details. So an example scenario would look like this: 1. User has session open to www.unsecurebank.com. 2. User receives email from malicious user saying "Buy my product here!" but is actually a link to www.unsecurebank.com. The link exploits the XSS vulnerability and uses Javascript to send the cookie information back to the malicous user's website. 3. Malicous user now has access to www.unsecurebank.com. If www.unsecurebank.com also stored sensitive information in any cookies, the malicious user would now have that information as well! In this cause, www.unsecurebank.com could also perform IP address confirmation along with the JSESSION id, but this is only reliable when using HTTPS/SSL. -Dave --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
