The Artima Developer Community
Sponsored Link

Thinking Aloud
Putting my Hand in the Cookie Jar
by Johan Peeters
February 28, 2004
JavaScript is not as innocuous as some would like to believe.


There was some doubt in the follow-up to my last blog entry about whether JavaScript, or other scripting languages for that matter, can be used to mount effective XSS attacks. Unless you disable scripts in your browser, you can, as I hope to show here.

Here is a button that shows your session cookie and takes you to my web site.

The cookie is not sent to my server when you press the button, but, technically, there is nothing stopping me from doing that. I can then hijack your session, for example.

Talk Back!

Have an opinion? Readers have already posted 5 comments about this weblog entry. Why not add yours?

RSS Feed

If you'd like to be notified whenever Johan Peeters adds a new entry to his weblog, subscribe to his RSS feed.

About the Blogger

Johan Peeters is an independent software architect who spends a lot of time plumbing and generally fixing leaks.

This weblog entry is Copyright © 2004 Johan Peeters. All rights reserved.

Sponsored Links


Copyright © 1996-2018 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use