CODEWITHSUNDEEP
javascriptsecurityhttpauthentication
Kyle Fox
Kyle Fox

Reputation: 3313

Is is possible to spoof a session with JavaScript + Cookies?

Suppose you have a webapp that gives users their own site on a subdomain (eg: awesome.super-cms.com) and that you let them edit HTML. Further assume that you're setting the SessionID in a wildcard subdomain cookie ("*.super-cms.com").

The user who manages evil.super-cms.com could easily write a JavaScript that grabs the SessionID from other super-cms.com users:

var session = $.cookie('SessionID');
// Now send `session` to evil.com

My question is: Could an attacker user these harvested SessionIDs to do bad things? For example, spoof authentication as another user?

Upvotes: 1

Views: 1969

Answers (2)

symcbean
symcbean

Reputation: 48367

Could an attacker user these harvested SessionIDs to do bad things?

Yes, but its a no-brainer to prevent this:

  • don't use wildcard cookies
  • set the http only flag on any cookies

I assume that you're running this on top of SSL (otherwise its already wide open to MITM attacks) in which case, setting the SSL only flag is a good idea too.

Note that you can't rely on the client ip address not changing (some ISPs use load-balanced proxies) mid session, but the browser headers don't change - however thats not going to help in an attack from someone who knows what they are doing.

C.

Upvotes: 0

Noon Silk
Noon Silk

Reputation: 55112

Yes, they can. This guy appears to have an article outlining examples: http://skeptikal.org/2009/11/cross-subdomain-cookie-attacks.html

You can set the domain of the cookie to prevent this. It is set as ;domain=... inside the cookie, your given language will probably have a facility to do this directly.

Upvotes: 4

Related Questions