The Artima Developer Community
Sponsored Link

Weblogs Forum
Putting my Hand in the Cookie Jar

5 replies on 1 page. Most recent reply: Mar 16, 2004 4:13 PM by Jonathan Dodds

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 5 replies on 1 page
Johan Peeters

Posts: 30
Nickname: yo
Registered: Nov, 2003

Putting my Hand in the Cookie Jar (View in Weblogs)
Posted: Feb 28, 2004 5:36 AM
Reply to this message Reply
Summary
JavaScript is not as innocuous as some would like to believe.
Advertisement

There was some doubt in the follow-up to my last blog entry about whether JavaScript, or other scripting languages for that matter, can be used to mount effective XSS attacks. Unless you disable scripts in your browser, you can, as I hope to show here.

Here is a button that shows your session cookie and takes you to my web site.

The cookie is not sent to my server when you press the button, but, technically, there is nothing stopping me from doing that. I can then hijack your session, for example.


Charles Bell

Posts: 519
Nickname: charles
Registered: Feb, 2002

Re: Putting my Hand in the Cookie Jar Posted: Mar 3, 2004 2:14 PM
Reply to this message Reply
I appreciate your blogs.

So what are you using to produce the session id info?

Johan Peeters

Posts: 30
Nickname: yo
Registered: Nov, 2003

Re: Putting my Hand in the Cookie Jar Posted: Mar 5, 2004 11:15 PM
Reply to this message Reply
Thanks for the appreciation.
The session id is in the cookie. The cookie is shown with the following script:

function showCookie(){
alert(document.cookie);
}

Matt Gerrans

Posts: 1152
Nickname: matt
Registered: Feb, 2002

Re: Putting my Hand in the Cookie Jar Posted: Mar 8, 2004 8:48 PM
Reply to this message Reply
But I thought the whole idea behind using cookies was that they are the only thing the browsers let you get/set on the client system and are pretty innocuous -- they only contain a little scrap of data from the site you are on (in this case, a little ID info so Jive can show you your watches). Can you use that information to do something nefarious? After all hijacking my session is not much worse that pop-unders, is it?

For example, if I click the button and you do collect the cookie info on your web site, could you then use that to get into my Artima account (by having your browser sending it or something) and post a bogus blog by me?

Johan Peeters

Posts: 30
Nickname: yo
Registered: Nov, 2003

Re: Putting my Hand in the Cookie Jar Posted: Mar 9, 2004 12:06 AM
Reply to this message Reply
I do not know the ins and outs of Jive, but my guess is that, yes, I would effectively be you as far as Jive is concerned if I pass it your session cookie. So I could then start blogging as Matt, change your password, ...

Jonathan Dodds

Posts: 464
Nickname: jrdodds
Registered: Mar, 2004

Re: Putting my Hand in the Cookie Jar Posted: Mar 16, 2004 4:13 PM
Reply to this message Reply
I have always felt that being to see, let alone change, the values of cookies on the client side was not a feature.

i.e.
a.) Cookies should only be able to be set from the server side.
b.) The browser remembers and passes back a server's cookies.
c.) But client side code can not examine or change cookie values.

I think this was the original intention but was somehow lost.

Flat View: This topic has 5 replies on 1 page
Topic: I think I'm done with thought leaders Previous Topic   Next Topic Topic: Trust No One


Sponsored Links



Google
  Web Artima.com   

Copyright © 1996-2014 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use - Advertise with Us