Hacker Read

powertower · 2013-03-17 15:50:45+00:00

You're right, that's kind of what I got from it by reading the other thread after posting...

You'd need to visit a page that exploits JS to make those connections to get that cookie. Afterwards, I guess it depends.

reply

manigandham | karma 24990 | avg karma 2.69 · | 2016-01-31 23:48:51+00:00

Sure, which again means it's on a web application level rather than working at the HTTP level.

There are lots of uses for cookies without having JS or a full browser available.

reply

amelius | karma 42902 | avg karma 1.63 · | 2018-04-17 17:51:04+00:00

Even if you don't have cookies enabled, then browser fingerprinting could make the connection.

pacamara619 | karma 107 | avg karma 0.63 · | 2020-08-26 13:41:23+00:00

I'm not sure I follow. Cookies are stored in the client.

nfriedly | karma 6876 | avg karma 3.44 · | 2017-12-20 21:50:08

Yep. I believe the idea is to trick the browser into believing that you're interacting with the third-party site so that they get first-party treatment with respect to cookies and such.

I'm not sure if it's still true, but at one point, submitting a form (even via JavaScript) counted and let the site store cookies.

reply

totony | karma 1184 | avg karma 1.32 · | 2021-05-13 07:56:24

Can't you just read document.cookies to get the token at that point?

kroltan | karma 1919 | avg karma 2.63 · | 2022-02-15 15:58:39

Can client-side code set the cookies themselves? I was under the impression cookies were a HTTP-level thing.

red_trumpet | karma 1373 | avg karma 2.57 · | 2023-04-12 15:38:47

> every website gets to read only its own cookies

That's already the case, isn't it? It's just that embedded parts by a 3rd party can set their own cookies, which can be read by the 3rd party whenever it is embedded in any other page.

reply

apgwoz | karma 7028 | avg karma 4.65 · | 2009-02-24 20:41:05+00:00

But, if the site is using only HTTP and cookies, there's no reason not to first make a request to the login page with the username/password and retrieve the cookie via the "cookie" header that comes back... Did I totally misread the article, or was it just dumb?

pilif | karma 14606 | avg karma 6.33 · | 2010-12-20 08:32:15

you wouldn't get access to the cookie in most browsers. The github session cookie is apparently marked as httponly in which case JS wouldn't see it.

rnotaro | karma 406 | avg karma 1.88 · | 2019-06-21 20:58:16+00:00

It's probably linked to the session's cookie?

gcp | karma 5363 | avg karma 3.26 · | 2015-01-09 15:55:29+00:00

I didn't mention the cookie because it's not part of the protocol. It's how Google's servers behave. We don't know what the NK server does.

According to Mozilla...

Firefox is open source, you know. Even if you can't read C++ or understand the Bugzilla comments, you can also just Wireshark it.

reply

prawn | karma 22119 | avg karma 2.96 · | 2015-08-17 06:25:16+00:00

Couldn't it be done via cookie?

tyingq | karma 59102 | avg karma 3.47 · | 2021-12-29 16:45:55

Their cookies start with "JSESSIONID", so I'm guessing you're right.

berlinstartup | karma -6 | avg karma -0.43 · | 2018-12-13 08:26:50+00:00

It doesn't work by IP address, but by cookie.

ororlrlrlylyly | karma -2 | avg karma -0.2 · | 2013-07-27 15:15:23+00:00

But I'm logged in! It shows myname in the corner. So obviously you could get that cookie, right?

blntechie | karma 1165 | avg karma 2.9 · | 2017-05-06 18:39:22

It's not the same but aren't the httpOnly cookies kind of serve the same purpose? JS can't read these cookies at all?

mhitza | karma 1909 | avg karma 2.46 · | 2011-01-16 02:29:23+00:00

If the server supports the HTTP TRACE verb you can still get the cookie. It would be rare, but possible non the less.

nailer | karma 21705 | avg karma 2.02 · | 2016-01-13 20:06:25+00:00

Yep but the data in the cookie was provided by the server, which had to already auth you via some means. Like a password, or a client side SSL cert.

paulddraper | karma 16686 | avg karma 1.72 · | 2018-09-14 00:54:55

FWIW, that's exactly how it works in client-side browsers scripting.

    document.cookie = 'name=value';