From what I understand document.cookie only gets your cookies for the current site you are on. Would it be possible for a malicious site to get around this by using an iFrame, modifying my HTTP header, making a request to the target site or some other method?
views:
68answers:
3
+1
A:
These techniques in general will not work. Iframes deny programmatic access to properties like page content and cookies for pages on a different domain. Likewise, Javascript HTTP requests are only allowed to the same domain as the requesting page.
Aardsquid
2010-07-19 03:40:20
Why do you say generally? Can this happen if I'm using an old browser or something?
Gilbo
2010-07-19 03:57:05
JavaScript and HTML are standards; web browsers implement them differently and some may not pay attention to safety. However, one would be hard-pressed to find a recent release of a modern web browser without such checks in place.
Aardsquid
2010-07-19 04:17:52
+3
A:
One way to do this would be through cross-site scripting attacks. This is a short overview of how cookie-stealing works with XSS.
renata
2010-07-19 03:49:03
+1
A:
DNS Rebinding can be used to bypass Same Origin Policy (SOP) used by browsers to prevent one web site reading other website data like cookies, dom etc
Here is a great video to learn how it works and how to prevent it.
Gaurav Kumar
2010-07-19 04:46:33
@Rook- I am curious too to know why do you think DNS Rebinding is dead?
Gaurav Kumar
2010-07-22 05:50:49