undefined | Better HN

0 pointspatio1115y ago0 comments

XSS trivially compromises your cookie. If I have your cookie, I am you. Demonstrating cute ways to do things that I could just do by logging in as you is superfluous.

Even doing that as a prank would cause a Big Red Button security audit at some companies. As in, drop what you're doing, we need to go over every line of every commit in the git repo and verify nothing like a server password was committed. Recommendation #1 from that audit will be to stop using github.

0 comments

7 comments · 2 top-level

pilif15y ago· 5 in thread

you wouldn't get access to the cookie in most browsers. The github session cookie is apparently marked as httponly in which case JS wouldn't see it.

patio11OP15y ago

I wouldn't trust that, since there are many paths to the cheese besides document.cookie. For example, Firefox (IIRC) will let Javascript inspect all headers from an Ajax request. The cookie is just another string there...

mike-cardwell15y ago

Is that actually possible, or are you just pondering that it might be? If Firefox lets you access the raw HTTP Cookie header of a http-only cookie via AJAX, I would consider that a security bug, and report it...

I may take out 10 minutes to have a play with that later if nobody else checks first...

2 more replies

tptacek15y ago

Totally academic debate. HttpOnly is a band-aid; being able to inject Javascript still lets me do almost anything that I'd ever want to do with that cookie in the future.

bl4k15y ago

Sure you do. Easy to confirm, just fire up a console on github.com and enter document.cookie. What runs there can run on the page in injected code.

Sess cookie for github is km_ai

pilif15y ago

I would assume that the session cookie is

_github_ses

which is the only one that's set as both httponly and secure and, by the way, doesn't appear in document.cookie

rlpb15y ago

> Even doing that as a prank would cause a Big Red Button security audit at some companies. As in, drop what you're doing, we need to go over every line of every commit in the git repo and verify nothing like a server password was committed. Recommendation #1 from that audit will be to stop using github.

We know that the two scenarios (ssh key injection as a prank and what happened here as a prank) are equivalent.

If a company reacts like that in your scenario but doesn't do the same after what really happened, they're doing something very wrong.

j / k navigate · click thread line to collapse