Howdy, OK, makes sense. Thanks for the examples! Yoav Shapira Millennium ChemInformatics
>-----Original Message----- >From: David Rees [mailto:[EMAIL PROTECTED] >Sent: Monday, September 29, 2003 3:50 PM >To: Tomcat Developers List >Subject: RE: Jakarta Tomcat 4.1 XSS vulnerability > >On Mon, September 29, 2003 1at 2:34 pm, Shapira, Yoav sent the following >> >> Howdy, >> This is interesting, hopefully you won't mind educating me a bit >> further... > >Not at all, but keep in mind I haven't studied all that much myself... ;-) > >>>> - Is it really a vulnerability? What can you get from this >> "exploit"? >>> >>>You can hijack the user's session or steal information from a user's >>>cookie pretty easily with a XSS flaw such as this one. >> >> How would you "hijack" the user's session? By that do you mean just >> getting the session ID from the JSESSION cookie on the user's >> hard-drive? > >Once you are able to insert arbritrary Javascript into a page, you could >use that power to submit a request to your own website with the JSESSION >cookie details. So an example scenario would look like this: > >1. User has session open to www.unsecurebank.com. >2. User receives email from malicious user saying "Buy my product here!" >but is actually a link to www.unsecurebank.com. The link exploits the XSS >vulnerability and uses Javascript to send the cookie information back to >the malicous user's website. >3. Malicous user now has access to www.unsecurebank.com. If >www.unsecurebank.com also stored sensitive information in any cookies, the >malicious user would now have that information as well! > >In this cause, www.unsecurebank.com could also perform IP address >confirmation along with the JSESSION id, but this is only reliable when >using HTTPS/SSL. > >-Dave > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
