Hey.

I've got write access to cookies on a certain hypothetical application. I'm wondering if there are any attacks that can be used aside from session fixation, which isn't an option since the app generates a new session ID on login - if I change someone else's session ID to mine it just logs them in as me, which isn't terribly useful.

The contents of the cookie aren't reflected in the html anywhere I can find so I don't think XSS is an option. I'll report the vuln whether or not any major attacks can be launched with it, but a decent POC helps with getting taken seriously.

edit: It can be used for XSS by logging them into my account but the session ID has httponly set and I can't alter this so the XSS is essentially useless.



Edited 2 time(s). Last edit at 05/31/2010 07:40PM by Albino.

Assuming that you log the victim into your account by storing a cookie on their browser (and not going through the login process via CSRF), you can restrict the path of that cookie to the page where the XSS hole is.

Send them there while they are logged in as themselves (for the rest of the site) and you have an XSS jumping off point for CSRF attacks against their account.

-clayfox

Quote
Albino
if I change someone else's session ID to mine it just logs them in as me, which isn't terribly useful.

two weeks ago I listened to a talk given by Martin Johns where he mentioned the scenario logging someone into your own gmail account by CSRF and then be able to have a look at his google search history later on. A scenario I haven't thought of before.
maybe that helps you to think about some more scenarios (all depending on the account options of course).