[unisog] in memory cookie safe from theft ??

Christopher Cramer chris.cramer at duke.edu
Tue Mar 11 14:18:15 GMT 2003


I'm by no means a cross site scripting expert, but it sounds like your
vendor is taking some really great drugs.  The interface to the cookie
for a XSS vulnerability is the client's browser, not the disk or the
memory.  So, it shouldn't matter how or where the cookie is stored.  

Now, the cookie being stored in memory will make it more difficult to
steal if the attacker has access to the computer in question, however,
for an XSS vulnerability it shouldn't make a difference.  For example,
if I can inject javascript into the client's webpage, then there's
nothing which would prevent me from dumping the cookie to another site
in the same domain.

I don't have your original email on hand, but is there a known XSS
vulnerability or is the vendor doing stupid things with cookies and you
have a concern for potential cookie stealing?

-c

--
Christopher E. Cramer, Ph.D.
University Information Technology Security Officer
Duke University,  Office of Information Technology
253A North Building, Box 90132, Durham, NC  27708-0291
PH: 919-660-7003  FAX: 919-660-7076  CELL: 919-210-0528
PGP Public Key: http://www.duke.edu/~cramer/cramer.pgp

On Mon, 2003-03-10 at 16:33, Russell Fulton wrote:
> Hi,
> 	Fistly thanks to all of you who responded (either on or off the list )
> to my previous query about cookies.  I try to respond personally to
> everyone but I've been somewhat busy chasing sendmail and I may have
> missed someone.
> 
> The vendor of the software (this isn't something we have control over :(
> ) says that since the cookie isn't written to disk the cookie isn't
> vulnerable to being stolen via XSS bugs.  I can see that this definitely
> makes it more difficult but my gut feeling is that there are ways to
> trick the brower into giving up the cookie. This is particularly so if
> the web site with the XSS 'bug' is in the same domain as the site that
> issued the cookie. 
> 
> The thing I really hate about this is that the security depends on how
> the clients are configured!
> 
> Any comments?
> 
> -- 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> "It aint necessarily so"  - Gershwin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/unisog/attachments/20030311/33617d09/attachment-0006.bin


More information about the unisog mailing list