re: Evil Session Tokens VIEW POST

re: Unless you have a really bad CORS (en.wikipedia.org/wiki/Cross-origin...) setup, this shouldn't be possible. The entire point of CORS is to disable...

Thanks for your reply, but we've clearly crossed wires somewhere. S1MPLES.COM doesn't need to access the cookie. It just has an image that links to SIMPLES.COM with the URL of choice. The browser supplies the cookie, and hence the GET requests are authorised. No Javascript, so CORS is not applicable.

Yes, the browser does an authenticated GET request to SIMPLE.COM. Please describe again how S1MPLE.COM gets hold of the cookie that the browser sends to SIMPLE.COM (and not S1MPLE.COM)? You are claiming that the malicious hacker web app can issue GET requests to retrieve private data. How? S1MPLE.COM can make my browser retrieve data from SIMPLE.COM into my browser. Which it does for me anyway. What is the genius idea that allows a website to steal my private data by embedding an image that links to SIMPLE.COM, when said private data never reaches that website?

This still doesn't make sense.

Even on the owasp.org site's CSRF example with an img tag it requires the target server (eg simples.com) to perform some action to be a real vulnerability. The user's cookie is NEVER given to s1mples.com, and s1mples.com doesn't have access to the data of the user. All it can do is try to trick the user into performing actions with an already authorized cookie, but it can't actually view the data from those actions or steal the user's cookie.

I assume you are trying to help and I appreciate that, but what you are describing just doesn't line up with anything I have ever read or learned.

Do you happen to have any sources backing up your claim or documenting how a GET request with an IMG tag could lead to s1mples either (a) gaining access to a user's data, or (b) getting access to a user's cookie?

Jon, thanks for mirroring my exact thoughts. It matches all my knowledge which i consider rather solid. Still i got in doubt and was rather hesitant to oppose the claims in this post when i first read it, but it shook the foundations of my understanding how the web works.

I know the feeling. I am always hesitant to ask in case I am wrong, but I figured what the hell.

If I am wrong & the author has references to back up his claims I look silly for a bit and it adds more context for future readers like you and me. I also learn about a new attack vector as an added bonus.

If I am right, hopefully it leads to the author updating the post a bit to fix the mistake and we all live happily ever after (or until the next Heartbleed).

What you say is true, the attacker will not have access to the cookies themselves. However there are trickier vector attacks he can perform, see for example


code of conduct - report abuse