Page 1 of 1

Can anybody tell me about XSS

Posted: Mon Jun 22, 2009 4:56 am
by goldensparrow
Can anybody tell me . what can attackers do to avail of cookies when they had stolen cookies successfully ?

I know information about XSS not much but as far as i know attackers can use cookies for hijacking session,

can anybody tell me more information

thanks

Re: Can anybody tell me about XSS

Posted: Mon Jun 22, 2009 6:08 am
by kaisellgren
Yes, they can steal your session identifier and use it to get in the session. Some weaker systems might even store a password in the cookie.

What XSS can do is far beyond cookie stealing. You have the complete control over the layout in most cases and that renders many protections completely useless (Challenge-Response, client certificate authentication, etc). XSS can be used for numerous other reasons. It can be used to achieve (D)DOS attacks and XSS will completely bypass firewalls - bypasses the domain security model of browsers (same origin policy). It can be used to do less harmful things, too, like display adverts, defacing your visitors, humiliating them, showing them naked pictures of Allah making You responsible for that or redirect to malware and a lot more. With XSS you can also steal clipboard data and keylog - which violates your visitors' privacy policy.

So, the list of things you can do with XSS is pretty much limited to the attacker's imagination.

Re: Can anybody tell me about XSS

Posted: Tue Jun 23, 2009 4:08 am
by goldensparrow
kaisellgren wrote:Yes, they can steal your session identifier and use it to get in the session. Some weaker systems might even store a password in the cookie.
how dose attacker steal session identifier when they got cookies which have a password was stored ?

and do you know ? , where is cookies for firefox ? i know that it's in \Local Settings\Application Data\Mozilla\Firefox\Profiles\

but it has no cookies.txt

thanks

Re: Can anybody tell me about XSS

Posted: Tue Jun 23, 2009 7:25 am
by kaisellgren
I don't know where Firefox stores its cookie file. When I create requests, I work with HTTP and the web, I typically use cURL. I like to be in charge, although Tamper Data extension for Firefox is often a simpler approach to get things done.
goldensparrow wrote:how dose attacker steal session identifier when they got cookies which have a password was stored ?
You don't need a session identifier in that case. Just use the password (or an encrypted version of it) you got.

Re: Can anybody tell me about XSS

Posted: Wed Jun 24, 2009 2:08 am
by emix

Re: Can anybody tell me about XSS

Posted: Wed Jun 24, 2009 2:25 am
by goldensparrow
kaisellgren wrote: You don't need a session identifier in that case. Just use the password (or an encrypted version of it) you got.
how does attacker can get the password ? they got from cookies , right ? and how ?

Re: Can anybody tell me about XSS

Posted: Wed Jun 24, 2009 6:01 am
by kaisellgren
goldensparrow wrote:
kaisellgren wrote: You don't need a session identifier in that case. Just use the password (or an encrypted version of it) you got.
how does attacker can get the password ? they got from cookies , right ? and how ?
Umh, I'm not exactly following you, but if the site is built insecurely and stores a password within the cookie, then by stealing the cookie you can steal the password.

Re: Can anybody tell me about XSS

Posted: Wed Jun 24, 2009 6:11 am
by goldensparrow
kaisellgren wrote:
goldensparrow wrote:
kaisellgren wrote: You don't need a session identifier in that case. Just use the password (or an encrypted version of it) you got.
how does attacker can get the password ? they got from cookies , right ? and how ?
Umh, I'm not exactly following you, but if the site is built insecurely and stores a password within the cookie, then by stealing the cookie you can steal the password.
may i ask how can they steal the password in cookies ?

Re: Can anybody tell me about XSS

Posted: Wed Jun 24, 2009 6:18 am
by kaisellgren
Why do you need to know this?

Re: Can anybody tell me about XSS

Posted: Wed Jun 24, 2009 6:33 am
by goldensparrow
i just want to know in order to test my web because the best tester should know how hacker can attack the web but i know you are distrusting me and i understand your though , ok i don't want to know .
thanks again.

Re: Can anybody tell me about XSS

Posted: Wed Jun 24, 2009 6:38 am
by kaisellgren
Well, if a few situations come true, you could get a password as easily as writing JS: alert(document.cookie);