WHAT'S HOT
PARTS:
Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10
Part 11
Part 12
Part 13
Part 14
Part 15
Part 16
Part 17
Part 18
Part 19
Part 20
Prev | Current Page 87 | Next

Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos

"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions"

If
the cookie has been tampered with, make the request fail.
Using JavaScript to Reduce the Cookie Security Model
to the Same Origin Policy
Popularity: 1
Simplicity: 5
Impact: 6
Risk Rating: 5
Chapter 2: Cross-Site Scripting 29
The cookie security model is intended to be more secure than the same origin policy,
but with some JavaScript, the cookie domain is reduced to the security of the same origin
policy??™s document.domain setting, and the cookie path attribute can be completely
circumvented.
We??™ll use the university webmail example again where an attacker creates a web
page at http://public-pages.university.edu/~attacker/ and the university has a webmail
system at http://webmail.university.edu/. If a single page in http://webmail.university
.edu/ has document.domain="university.edu" (call the page http://webmail
.university.edu/badPage.html), then the attacker could steal the victim??™s cookies by
luring him or her to http://public-pages.university.edu/~attacker/stealCookies.htm,
which contains the following code: