[Owasp-testing] Copy Cookies

Pavol Luptak pavol.luptak at nethemba.com
Thu Jul 22 07:33:51 EDT 2010


On Thu, Jul 22, 2010 at 10:46:01AM +0200, Stephen de Vries wrote:
> I didn't claim the contrary.  The original poster described taking a session cookie (not mentioning where he got it) and then using it in another browser to get access to another user's session.  This is like saying every app on the internet is vulnerable to authentication hijacking, because if I take your username and your password then I can login as you!  

This is not the same. Cookies can be linked with unique secret tokens stored
in POST hidden fields (that are unique per every browser) and its IP address, 
therefore just copying of the cookie to the different browsers won't work
at all.

Pavol
-- 
Pavol Luptak, CISSP, CEH
OWASP Slovakia chapter leader
http://www.owasp.org/index.php/Slovakia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3611 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-testing/attachments/20100722/e8263303/attachment.bin 


More information about the Owasp-testing mailing list