You may wanna try WebSleuth at www.owasp.org. I know the release they have going out this weekend does cross-site scritping. JavScript prevents an easy way to send the cookie using email (it does actually have a security model !) but you can call a gif on a remote server and send the cookie values in the url or many other ways. ....not hard....WebSleuth will also wllow you to play and change any cookie values as well and its open source so you can add to it... I'm working on a pen test for a web application. After the first time you successfully authenticate, the app stores a cookie with username and password in clear text. I've recently read the archive regarding vulnerable IE browsers revealing cookies. I'd like to go a step farther. Does anyone have a script that will email the cookie? I'd like to craft an email with a link and when a user clicks, it emails the cookie. I want to show the client how dangerous it is to store a clear text cookie. Also, any other method of cookie stealing would be really appreciated. Thanks. Joe ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 13:06:42 PST