Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
alternatives to session fixation?
Posted by: Albino
Date: May 31, 2010 07:00PM

Hey.

I've got write access to cookies on a certain hypothetical application. I'm wondering if there are any attacks that can be used aside from session fixation, which isn't an option since the app generates a new session ID on login - if I change someone else's session ID to mine it just logs them in as me, which isn't terribly useful.

The contents of the cookie aren't reflected in the html anywhere I can find so I don't think XSS is an option. I'll report the vuln whether or not any major attacks can be launched with it, but a decent POC helps with getting taken seriously.

edit: It can be used for XSS by logging them into my account but the session ID has httponly set and I can't alter this so the XSS is essentially useless.



Edited 2 time(s). Last edit at 05/31/2010 07:40PM by Albino.

Options: ReplyQuote
Re: alternatives to session fixation?
Posted by: clayfox
Date: June 28, 2010 10:30AM

Assuming that you log the victim into your account by storing a cookie on their browser (and not going through the login process via CSRF), you can restrict the path of that cookie to the page where the XSS hole is.

Send them there while they are logged in as themselves (for the rest of the site) and you have an XSS jumping off point for CSRF attacks against their account.

-clayfox

Options: ReplyQuote
Re: alternatives to session fixation?
Posted by: Reiners
Date: June 28, 2010 11:09AM

Quote
Albino
if I change someone else's session ID to mine it just logs them in as me, which isn't terribly useful.

two weeks ago I listened to a talk given by Martin Johns where he mentioned the scenario logging someone into your own gmail account by CSRF and then be able to have a look at his google search history later on. A scenario I haven't thought of before.
maybe that helps you to think about some more scenarios (all depending on the account options of course).

Options: ReplyQuote


Sorry, only registered users may post in this forum.