Thursday, July 16, 2009

Session cookie hijacking

I posted about XSS previously. XSS is commonly used by malicious parties to steal session cookies in order to hijack a victim's active session and impersonate them.
For session cookie hijacking to be successful, the victim must already be logged into the application. Next, the victim must be tricked into clicking on a link to invoke the Javascript to compromise their cookie. In my video, I first display the session cookie using a Javascript pop-up by exploiting the lack of input validation on the third party's webserver. I set up a webserver on my local machine and I trigger another Javascript to request a resource that doesn't exist on my webserver. The session cookie is recorded in my webserver log as a result.
The high res version of this demo can be downloaded here.

No comments:

Post a Comment