[unisog] in memory cookie safe from theft ??

Pascal Meunier pmeunier at purdue.edu
Tue Mar 11 14:53:05 GMT 2003


On 3/10/03 4:33 PM, "Russell Fulton" <r.fulton at auckland.ac.nz> wrote:

> Hi,
> Fistly thanks to all of you who responded (either on or off the list )
> to my previous query about cookies.  I try to respond personally to
> everyone but I've been somewhat busy chasing sendmail and I may have
> missed someone.
> 
> The vendor of the software (this isn't something we have control over :(
> ) says that since the cookie isn't written to disk the cookie isn't
> vulnerable to being stolen via XSS bugs.  I can see that this definitely
> makes it more difficult but my gut feeling is that there are ways to
> trick the brower into giving up the cookie. This is particularly so if
> the web site with the XSS 'bug' is in the same domain as the site that
> issued the cookie.
> 
> The thing I really hate about this is that the security depends on how
> the clients are configured!
> 
> Any comments?

As an addendum to my last post, note that the domains involved do not need
to be identical:

http://www.mozilla.org/projects/security/components/same-origin.html

"There is one exception to the same origin rule. A script can set the value
of document.domain to a suffix of the current domain. If it does so, the
shorter domain is used for subsequent origin checks. For example, assume a
script in the document at http://store.company.com/dir/other.html executes
this statement:

document.domain = "company.com";

After execution of that statement, the page would pass the origin check with
http://company.com/dir/page.html"

So, any web page from auckland.ac.nz (e.g., a student's web page) *may* be
able to run a javascript to access the contents of any form in your web
portal, such as usernames and passwords, depending on the exact domain names
involved.

Javascript is such a security headache.

Cheers,

Pascal Meunier, Ph.D., M.Sc.
Assistant Research Scientist
Purdue University CERIAS
Recitation Building
656 Oval Drive
West Lafayette, IN 47907-2039

+1 (765) 494-7841 (main)
http://www.cerias.purdue.edu/




More information about the unisog mailing list