Session cookie hijacking

I posted about XSS previously. XSS is commonly used by malicious parties to steal session cookies in order to hijack a victim's active session and impersonate them.
For session cookie hijacking to be successful, the victim must already be logged into the application. Next, the victim must be tricked into clicking on a link to invoke the Javascript to compromise their cookie. In my video, I first display the session cookie using a Javascript pop-up by exploiting the lack of input validation on the third party's webserver. I set up a webserver on my local machine and I trigger another Javascript to request a resource that doesn't exist on my webserver. The session cookie is recorded in my webserver log as a result.
The high res version of this demo can be downloaded here.
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

dnssecaudit.py

Since I was on a roll with Copilot, I decided to automate DNSSEC auditing with the following Python script. Not the most creative tool name....

  • "An error occured in avast! engine: Invalid argument"
    This annoying message popped up after I ran the update in avast! in Ubuntu yesterday. avast! crashes every time I attempt to launch it after...
  • Encrypted mails
    I decided to install a digital certificate for my Gmail account. This is simple and free to set up. Apply for a free certificate from Comod...