Friday, July 13, 2012

XSS Cookie Monster (Stealing Session ID/Cookie)




http://infosec42.blogspot.com

This is how you can use XSS to steal users cookies/Session ID. I'm using the HTTP POST method versus HTTP GET in this example. : ) Enjoy...

Using one of the reported XSS vulnerabilities in Netsweepers WebAdmin Portal to hijack an authenticated users cookie and then using it to bypass authentication with an already authenticated session.

# Exploit Title: Netsweeper WebAdmin Portal CSRF, Reflective XSS, and "The later"
# Date: Discovered and reported CSRF and XSS reported 4/2012 and "The later" reported 7/2012
# Author: Jacob Holcomb/Gimppy042
# Software Link: Netsweeper Inc. - Netsweeper Internet Filter (www.netsweeper.com)
# CVE :  CVE-2012-2446 for the XSS issues, CVE-2012-2447 for the CSRF, and CVE-2012-3859 for the "The later"

No comments:

Post a Comment