On Sat, Jun 10, 2062 at 01:16:03PM -0600, jd1008 wrote:> On 06/12/2015 01:01 PM, Gordon Messmer wrote: > >As far as cookies go, you're even further from the truth. A script can > >only access cookies whose domain matches the origin of the script. > > Your final line is not true.Its technically true, however, XSS attacks can get around that restriction, which is why you saw so much malware posted on a site like googleusercontent.com. Sites that allow users to upload content are always being used to host malware for XSS attacks. But you still need to be visiting a site with the same domain as the cookie, and load a compromised page. Plus, if you use HttpOnly cookies, you have to go through even more complex XSS exploits to get at the cookie, since they aren't accessible through the DOM model. But as designed, Cookies are meant only to be used by scripts from the same domain as the one that set the cookie. -- Jonathan Billings <billings at negate.org>
On Fri, Jun 12, 2015 at 03:43:11PM -0400, Jonathan Billings wrote:> Its technically true, however, XSS attacks can get around that > restriction, which is why you saw so much malware posted on a site > like googleusercontent.com. Sites that allow users to upload content > are always being used to host malware for XSS attacks. But you still > need to be visiting a site with the same domain as the cookie, and > load a compromised page. Plus, if you use HttpOnly cookies, you > have to go through even more complex XSS exploits to get at the > cookie, since they aren't accessible through the DOM model.I should add that the exploits are constantly being addressed by both Web Browser developers as well as developers of extensions like NoScript. Its an arms race. -- Jonathan Billings <billings at negate.org>
On 06/12/2015 01:01 PM, Gordon Messmer wrote:> On 06/13/2015 11:11 AM, jd1008 wrote: >> All your browsing history, all cookies ...etc are open books >> as far as many javascripts are concerned. > > Javascript can use CSS attributes to see if you've visited a specific > URL, which is unfortunate, but that's a long way from saying that your > history is an open book. Javascript cannot directly access your > history. A script cannot enumerate all of the sites you've visited, > it can only test specific, complete URLs. > > As far as cookies go, you're even further from the truth. A script > can only access cookies whose domain matches the origin of the script.Your final line is not true.