'Re: XSS and URL Encoded Session IDs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webappsec
Subject:    Re: XSS and URL Encoded Session IDs
From:       Matthew Miller <mmiller () atstake ! com>
Date:       2002-12-17 16:56:39
[Download RAW message or body]

If the SID is sent via a request parameter, use the document.referrer  
object.

e.g.  
https://somesite.com/ 
bad.asp?SID="your_sid"&ID=<script>alert(document.referrer)</script>

mm


On Tuesday, December 17, 2002, at 06:21 AM, Ryan Yagatich wrote:

> BF,
> 	Here's my thought on this, and though it may not be the best
> solution, it is at least _a_ solution.
>
> Looking at this from the more objective POV, I see the 'problem' as  
> being
> 'How do I get the SessionID'.
>
> Well, I'm not big on the ASP/IIS side of things, but I have noticed a
> trend in a few ways of getting that information.
>
> Q) How does the client get the SessionID?
> A) The client can either get the SessionID from a cookie that is  
> placed on
> their system (i.e. ASPSESSION='...'), or the server embeds the SID in  
> HREF
> links on the page.
>
> So, there are 2 places you could write code, either
> A) accept the cookie, extract the SessionID
> B) retrieve a URL and get the SessionID from the parsed string.
>
> Both which would take either 2-3 different steps.
>
> Thanks,
> Ryan Yagatich
> ,_____________________________________________________,
> \ Ryan Yagatich                     support@pantek.com \
> / Pantek Incorporated                  (877) LINUX-FIX /
> \ http://www.pantek.com                 (440) 519-1802 \
> /                                                      /
> \___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\
>
> On Mon, 16 Dec 2002, B F wrote:
>
>> Hi List,
>>
>> recently I did my first "real" WebApp Audit, so I´m quite
>> new to this topic. The application in case has lot´s of
>> XSS Vulnerabilities, but they are only accessible if you
>> already know the SessionID of a specific user. Example
>>
>> https://somesite.com/bad.asp?SID=4243434234234234?ID=<xss string of  
>> choice>
>>
>> As you may have noticed the site is only accessible via HTTPS.
>> So how to craft an URL which will trigger the XSS ? Don´t
>> I have to know the SessionID first?
>>
>> The only thing I can think of is to exploit a client side vuln.
>> to get the SID.
>>
>> Any better ideas?
>>
>> BF
>>
>>
>>
>>
>>
>>
>> _________________________________________________________________
>> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
>> http://join.msn.com/?page=features/virus
>>
>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic