|
|
|
|
|
|
by yahelc
4733 days ago
|
|
|
> What this means is that client script can access those cookies which means that if you can get a piece of XSS onto the site – just as you can on the Aussie Farmers site – you can steal cookies containing passwords if you can get a customer to load the XSS payload The author is saying that, putting the password in a cookie means that, if there is an XSS vulnerability somewhere, it can be trivially used to steal usernames and passwords, since the XSS can be used to inject code on the site that can grab the values from document.cookie and append them to a hidden iframe. |
|
|