http://qs1969.pair.com?node_id=147192


in reply to Re: Re: Re: Preventing Cross-site Scripting Attacks
in thread Preventing Cross-site Scripting Attacks

I think tye has a good warning at his home node, where he says that someone can steal your password if you have javascript enabled.

In short, the problem is this: Javascript can access the cookies you have for the current site. Without going into too much detail, it only take a few lines of javascript to grab your login cookie and send it to a script at some site, and it only takes a few lines of for example perl to craft a cookie for a browser that will allow anyone to log in as you. Notice that with this method, you don't even need to decode the password!

I haven't tried it at this site, nor will I, so I am not 100% that there aren't any safeguards against it that I am unaware of. But I have, as an experiment, crafted just such a thing on above mentioned http://www.avidgamers.com. I was able to steal my own password and log in with a crafted cookie at a computer that I never had went there with before. I am a curious soul.

It is quite possible that one shouldn't be talking about this, so as to not give anyone any ideas. But I do this anyways, for two purposes. If you are aware of how easy this would be to accomplish, you will hopefully protect yourself. And maybe scripts and event handlers will be stripped out from user-provided HTML. As a sidenote, I wonder if our moves are tracked via IP or something at this site, so it would be sufficiently easy to prove you didn't do a certain thing, and also to track the thief if needs would be?

Again, note that this is only a risk where you have both these things; session-cookies which identify you, and the possibility for users to add arbitrary javascript to a page you will be viewing.

Does that explain the matter?


You have moved into a dark place.
It is pitch black. You are likely to be eaten by a grue.

Replies are listed 'Best First'.
Re: Re: Re: Re: Re: Preventing Cross-site Scripting Attacks
by markmoon (Deacon) on Feb 26, 2002 at 03:38 UTC
    Yes it does. Thanks a lot for the explanation.

    markmoon