tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Rees" <...@greenhydrant.com>
Subject RE: Jakarta Tomcat 4.1 XSS vulnerability
Date Mon, 29 Sep 2003 19:49:51 GMT
On Mon, September 29, 2003 1at 2:34 pm, Shapira, Yoav sent the following
>
> Howdy,
> This is interesting, hopefully you won't mind educating me a bit
> further...

Not at all, but keep in mind I haven't studied all that much myself... ;-)

>>> - Is it really a vulnerability?  What can you get from this
> "exploit"?
>>
>>You can hijack the user's session or steal information from a user's
>>cookie pretty easily with a XSS flaw such as this one.
>
> How would you "hijack" the user's session?  By that do you mean just
> getting the session ID from the JSESSION cookie on the user's
> hard-drive?

Once you are able to insert arbritrary Javascript into a page, you could
use that power to submit a request to your own website with the JSESSION
cookie details.  So an example scenario would look like this:

1. User has session open to www.unsecurebank.com.
2. User receives email from malicious user saying "Buy my product here!"
but is actually a link to www.unsecurebank.com.  The link exploits the XSS
vulnerability and uses Javascript to send the cookie information back to
the malicous user's website.
3. Malicous user now has access to www.unsecurebank.com.  If
www.unsecurebank.com also stored sensitive information in any cookies, the
malicious user would now have that information as well!

In this cause, www.unsecurebank.com could also perform IP address
confirmation along with the JSESSION id, but this is only reliable when
using HTTPS/SSL.

-Dave

Mime
View raw message