Can anybody tell me about XSS

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Can anybody tell me about XSS

Post by goldensparrow »

Can anybody tell me . what can attackers do to avail of cookies when they had stolen cookies successfully ?

I know information about XSS not much but as far as i know attackers can use cookies for hijacking session,

can anybody tell me more information

thanks
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Can anybody tell me about XSS

Post by kaisellgren »

Yes, they can steal your session identifier and use it to get in the session. Some weaker systems might even store a password in the cookie.

What XSS can do is far beyond cookie stealing. You have the complete control over the layout in most cases and that renders many protections completely useless (Challenge-Response, client certificate authentication, etc). XSS can be used for numerous other reasons. It can be used to achieve (D)DOS attacks and XSS will completely bypass firewalls - bypasses the domain security model of browsers (same origin policy). It can be used to do less harmful things, too, like display adverts, defacing your visitors, humiliating them, showing them naked pictures of Allah making You responsible for that or redirect to malware and a lot more. With XSS you can also steal clipboard data and keylog - which violates your visitors' privacy policy.

So, the list of things you can do with XSS is pretty much limited to the attacker's imagination.
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: Can anybody tell me about XSS

Post by goldensparrow »

kaisellgren wrote:Yes, they can steal your session identifier and use it to get in the session. Some weaker systems might even store a password in the cookie.
how dose attacker steal session identifier when they got cookies which have a password was stored ?

and do you know ? , where is cookies for firefox ? i know that it's in \Local Settings\Application Data\Mozilla\Firefox\Profiles\

but it has no cookies.txt

thanks
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Can anybody tell me about XSS

Post by kaisellgren »

I don't know where Firefox stores its cookie file. When I create requests, I work with HTTP and the web, I typically use cURL. I like to be in charge, although Tamper Data extension for Firefox is often a simpler approach to get things done.
goldensparrow wrote:how dose attacker steal session identifier when they got cookies which have a password was stored ?
You don't need a session identifier in that case. Just use the password (or an encrypted version of it) you got.
User avatar
emix
Forum Newbie
Posts: 8
Joined: Mon Jun 22, 2009 10:32 am
Location: Poland

Re: Can anybody tell me about XSS

Post by emix »

goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: Can anybody tell me about XSS

Post by goldensparrow »

kaisellgren wrote: You don't need a session identifier in that case. Just use the password (or an encrypted version of it) you got.
how does attacker can get the password ? they got from cookies , right ? and how ?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Can anybody tell me about XSS

Post by kaisellgren »

goldensparrow wrote:
kaisellgren wrote: You don't need a session identifier in that case. Just use the password (or an encrypted version of it) you got.
how does attacker can get the password ? they got from cookies , right ? and how ?
Umh, I'm not exactly following you, but if the site is built insecurely and stores a password within the cookie, then by stealing the cookie you can steal the password.
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: Can anybody tell me about XSS

Post by goldensparrow »

kaisellgren wrote:
goldensparrow wrote:
kaisellgren wrote: You don't need a session identifier in that case. Just use the password (or an encrypted version of it) you got.
how does attacker can get the password ? they got from cookies , right ? and how ?
Umh, I'm not exactly following you, but if the site is built insecurely and stores a password within the cookie, then by stealing the cookie you can steal the password.
may i ask how can they steal the password in cookies ?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Can anybody tell me about XSS

Post by kaisellgren »

Why do you need to know this?
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: Can anybody tell me about XSS

Post by goldensparrow »

i just want to know in order to test my web because the best tester should know how hacker can attack the web but i know you are distrusting me and i understand your though , ok i don't want to know .
thanks again.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Can anybody tell me about XSS

Post by kaisellgren »

Well, if a few situations come true, you could get a password as easily as writing JS: alert(document.cookie);
Post Reply