[unisog] in memory cookie safe from theft ??
pmeunier at purdue.edu
Tue Mar 11 12:52:18 GMT 2003
On 3/10/03 4:33 PM, "Russell Fulton" <r.fulton at auckland.ac.nz> wrote:
> The vendor of the software (this isn't something we have control over :(
> ) says that since the cookie isn't written to disk the cookie isn't
> vulnerable to being stolen via XSS bugs.
I guess they would fail a question on the first quiz in the class I teach,
to do with whether it is written to disk.
<script>alert(document.cookie)</script> is the most common way that a XSS is
demonstrated. See the XSS vulnerabilities in a website portal:
Their assertion doesn't reassure me as to their understanding of
vulnerabilities and secure programming. But, they already demonstrated
operation of their product.
Pascal Meunier, Ph.D., M.Sc.
Assistant Research Scientist
Purdue University CERIAS
656 Oval Drive
West Lafayette, IN 47907-2039
+1 (765) 494-7841 (main)
More information about the unisog