Once you have the cookie, you need to identify an URL on the target web server that will allow you to access the goodies. For example, trace the traffic when you log into your web application normally. Most apps will redirect you to a "landing page" immediately after the login. If you had the other person's cookie, you could go to that same page, and see what they see. How to get the cookie into play? Well, my approach would be to use a proxy, like mangle (http://mysite.mweb.co.za/residents/rdawes/homepage.html), SPIKE proxy, WebSleuth (?) etc, to add/substitute whatever cookie your browser is using natively with the cookie that you have captured. In that way, it makes no difference what cookie your browser thinks it has, the server will think you have the captured one. There is an exception where the client does manipulation of the cookie using javascript, but you can get around that by adding a "Set-Cookie" to the response if necessary. Hope this helped. Rogan -----Original Message----- From: Jeremy Junginger [mailto:jjat_private] Sent: 08 January 2003 07:09 PM To: pen-test Subject: RE: XSS LAB DEMO IDEAS Thanks for the ideas, guys. I'm running into a bit of technical trouble, though. Perhaps you could shed some light? I now have a "victim" web server set up that I can test XSS on, and I have also set up an "attacker" web server that basically sits there and eats cookies via CGI, storing them to a local directory. The next question may seem very rudimentary, but can you just write those to your user's "cookie" folder and "hijack" their session to the web site? I know I'm missing something ::scratching my head:: -Jeremy ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 14:49:28 PST