Current session cookie shown in a HTML page on request



  • A website exposes this function: https://test.com/getSessionCookie When an authenticated user clicks on it he gets an html page with his cookie. Could be this exploited in some ways?



  • An interesting kind of attack that might work in this case would involve iframes (if allowed), social engineering, and a confused deputy issue (where the confused deputy is the user).

    You might create a malicious website that contains a fake CAPTCHA request, where the CAPTCHA code comes from the user's cookie and is displayed with an iframe. So, for example, you could place the page that displays the cookie inside an iframe and position it carefully so that it looks good enough. Then show the user a page that says: "Our system needs to make sure you are a human, please copy the following code and paste it in the field below".

    That was the first example that crossed my mind, but maybe you could come up with better tricks to convince the user to copy the code and send it to you. You might try to convince the user that the code is a temporary password to access a private area, or an error code they have to communicate to you, or a URL they need to visit. I'm not sure if the user would be able to copy-paste a text string (the fake URL) when part of the string comes from an iframe (the cookie), but you could try.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2