Suppose you have a webapp that gives users their own site on a subdomain (eg: awesome.super-cms.com
) and that you let them edit HTML. Further assume that you're setting the SessionID in a wildcard subdomain cookie ("*.super-cms.com
").
The user who manages evil.super-cms.com
could easily write a JavaScript that grabs the SessionID from ot开发者_如何学Goher super-cms.com users:
var session = $.cookie('SessionID');
// Now send `session` to evil.com
My question is: Could an attacker user these harvested SessionIDs to do bad things? For example, spoof authentication as another user?
Yes, they can. This guy appears to have an article outlining examples: http://skeptikal.org/2009/11/cross-subdomain-cookie-attacks.html
You can set the domain of the cookie to prevent this. It is set as ;domain=...
inside the cookie, your given language will probably have a facility to do this directly.
Could an attacker user these harvested SessionIDs to do bad things?
Yes, but its a no-brainer to prevent this:
- don't use wildcard cookies
- set the http only flag on any cookies
I assume that you're running this on top of SSL (otherwise its already wide open to MITM attacks) in which case, setting the SSL only flag is a good idea too.
Note that you can't rely on the client ip address not changing (some ISPs use load-balanced proxies) mid session, but the browser headers don't change - however thats not going to help in an attack from someone who knows what they are doing.
C.
精彩评论