- Cookie-based XSS
- How do you do a write-up
- The process how could you handle a pentest against a Web App
- For Session Management related testing, what kind of tests would you perform?
- Let me know how RoR handles session management
- Tell me HTTP methods
- Client Side Session Storage
- How to mitigate XSS
- How SSL Handshake works
1. Cookie-based XSS
As an attacker, if you can obtain the user''s cookie (e.g. with local access or session fixation), you don''t need XSS in the first place.
If you can inject script, you wouldn''t want to inject a script to set a cookie to steal the cookie, you would just steal the cookie in the first place.
The only way I see this as an issue is if the attacker can forge HTTP request headers to the target domain, which is unlikely.
It''s definitely still worth noting as part of defense in depth, and it''s impossible to think of every possible scenario/attack.
Where the script injection is located in the Cookie header. The problem is there’s no good way (in a modern browser) to force a victims browser to send an HTTP request with a modified Cookie value (to include HTML/JS). While the website or Web application is still technically vulnerable to XSS this is usually considered unimplementable since no PoC code can be created and the risk/threat is therefore lowered.
This is certainly a form of persistent XSS, but not in the traditional sense as the injected script is stored on the client machine as opposed to the server and only ever exposed to a single victim.
What is “Unexploitable” XSS?
A condition where a website is technically vulnerable to XSS, not properly encoding output, but for some reason it cannot be used maliciously against another user -- only against itself.
- Injection point is located in a place where a cross- domain HTTP request cannot modified the user- supplied data (Cookies, User-Agent, etc. )
- Vulnerable functionality is protected by CSRF tokens or CAPTCHAs (post-login).
8. XSS Mitigation
- White List / Black List
- XSS header
9. SSL Protocol
The client’s browser sends the website a handshake record with multiple fields (Random, Session ID, Cipher Suites, etc)
Server responds with “Server Hello” handshake record.
Compute Premaster Secret
Compute Master Secret
By now, both sides know the 48-byte premaster secret(#3 计算所得), the 28-byte client random number and the 28-byte server random number. Using these values and a pseudo random number generator, both client and server calculate the 48-byte master secret value.
master_secret = PRF(pre_master_secret, “master secret”,ClientHello.random + ServerHello.random)
Compute Key Block
Server confirms Encryption
Encrypt Application Data