XSS In '302' Redirect Pages

February 3, 2008

I have found it difficult to exploit, xss in 302 HTTP response, primarily because browsers follow the redirect and not execute the XSS.

For a moment, lets visit the attacks session fixation and HTTP response splitting. Consider a scenario, when an attacker is able to inject in the HTTP 302 response header's  'Location:' field. Through CRLF injection, it will be possible to use 'Set-Cookie'  header and set a cookie in victim's browser. This will only be useful when the application is vulnerable to cookie fixation. The attacker can than use the fixed cookies to hijack victim's session.

Checking if the application is vulnerable to cookie fixation, is quite trivial. You supply any expired session-id in cookies to the application along with a valid user-name and password, and if the application revalidates the supplied session-id in cookie (instead of issuing new random session-id), than it becomes vulnerable to cookie fixation. As session fixation is normally associated with URLs using session-id in URLs, this issue could. at times, go unnoticed. 

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback