Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
How about this solution for cross domain set cookie?
Posted by: joel
Date: May 24, 2012 03:21AM

There are 2 domain using the same cookie pair(uid & sid) for authenticate user:
www.logger.com
www.logspot.com

uid was to identify a user, and sid was to authenticate him.

Suppose most of the user will login via www.logger.com, and the browser will set the cookie:
Set-Cookie: uid=15732; PATH=/; DOMAIN=logger.com;
Set-Cookie: sid=FupX5px7X; PATH=/; DOMAIN=logger.com;

And when the user click a hyper link in www.logger.com to jump to www.logspot.com/index.html, I don't want that user input his uid and password again.

I wrote a script which place in www.logger.com (http://www.logger.com/get_sid.php):
<?php
header("Content-Type: application/x-javascript");

if (isset($_COOKIE["uid"]) && isset($_COOKIE["sid"])) {
echo "document.cookie = 'uid=" . $_COOKIE["uid"] . "; path=/; domain=logspot.com;';\n";
echo "document.cookie = 'sid=" . $_COOKIE["sid"] . "; path=/; domain=logspot.com;';\n";
} else {
echo "void(0);";
}
?>

And then, I put this script inside www.logspot.com/index.html:
<script src="http://www.logger.com/get_sid.php">

I have try that this script can set the cookie for www.logspot.com.

I have try to JSON-Hijacking this script, but I failed.

Do you think this solution is safe to use?

Options: ReplyQuote
Re: How about this solution for cross domain set cookie?
Posted by: lightos
Date: May 24, 2012 10:14AM

It is vulnerable to XSS.

Options: ReplyQuote
Re: How about this solution for cross domain set cookie?
Posted by: PaPPy
Date: May 25, 2012 05:16PM

lol first thing i noticed

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: How about this solution for cross domain set cookie?
Posted by: joel
Date: May 25, 2012 08:50PM

?

Options: ReplyQuote


Sorry, only registered users may post in this forum.