[unisog] in memory cookie safe from theft ??

Pascal Meunier pmeunier at purdue.edu
Tue Mar 11 12:52:18 GMT 2003


On 3/10/03 4:33 PM, "Russell Fulton" <r.fulton at auckland.ac.nz> wrote:

> 
> The vendor of the software (this isn't something we have control over :(
> ) says that since the cookie isn't written to disk the cookie isn't
> vulnerable to being stolen via XSS bugs.

I guess they would fail a question on the first quiz in the class I teach,
CS490s:

http://www.cs.purdue.edu/homes/cs490s

In javascript, "document.cookie" will return the cookie...  It has nothing
to do with whether it is written to disk.

<script>alert(document.cookie)</script> is the most common way that a XSS is
demonstrated.  See the XSS vulnerabilities in a website portal:

http://www.securiteam.com/unixfocus/5SP0C0K8UC.html

Their assertion doesn't reassure me as to their understanding of
vulnerabilities and secure programming.  But, they already demonstrated
their level of understanding by making javascript a requirement for the
operation of their product.

Pascal Meunier, Ph.D., M.Sc.
Assistant Research Scientist
Purdue University CERIAS
Recitation Building
656 Oval Drive
West Lafayette, IN 47907-2039

+1 (765) 494-7841 (main)
http://www.cerias.purdue.edu/




More information about the unisog mailing list