Many web sites host bulletin boards where registered users may post

messages. A registered user is commonly tracked using a session ID

cookie authorizing them to post. If an attacker were to post a

message containing a specially crafted JavaScript, a user reading

this message could have their cookies and their account

compromised.

Cookie Stealing Code Snippet:

Non Persistent Attack

Many web portals offer a personalized view of a web site and greet a

logged in user with  Welcome,  . Sometimes the

data referencing a logged in user are stored within the query string of

a URL and echoed to the screen

Portal URL example:

http://portal.example/index.php?sessionid=12312312&

username=Joe

In the example above we see that the username  Joe  is stored in the

URL. The resulting web page displays a   Welcome, Joe  message. If

an attacker were to modify the username field in the URL, inserting a

cookie stealing JavaScript, it would possible to gain control of the

user's account.

A large percentage of people will be suspicious if they see JavaScript

embedded in a URL, so most of the time an attacker will URL Encode

their malicious payload similar to the example below.

25

Copyright 2004, Web Application Security Consortium. All rights reserved.