Challenge: Can a website modify data in third party cookies?
Results 1 to 3 of 3

Thread: Challenge: Can a website modify data in third party cookies?

  1. #1
    Junior Member Leafgreen's Avatar
    Join Date
    Apr 2008
    Posts
    1

    Exclamation Challenge: Can a website modify data in third party cookies?

    Consider this scenario:
    A coder ("DevA") has control of two websites: WebsiteA and WebsiteB, but not WebsiteD. WebsiteA and WebsiteB are written in PHP.

    When a user ("MemberA") is logged in at WebsiteA, and clicks on an advertisement ("AdD"), then the final destination of MemberA's browser is WebsiteD. Both WebsiteD and AdD's ad tracking service ("TrackingServiceD") will save the referring URL as www.WebsiteA.com/pageclickedon.php in two different cookies ("CookieD") and ("CookieT") on MemberA's computer. The www.WebsiteA.com/pageclickedon.php value may be encrypted in CookieD and CookieT.

    Can DevA write code to cause WebsiteD and TrackingServiceD to save the referring URL in CookieD and CookieT as www.WebsiteB.com/PageClickedOn.php instead of www.WebsiteA.com/PageClickedOn.php ?

    Other givens:
    1. All other values in CookieD and Cookie T (besides www.WebsiteB.com/PageClickedOn.php must remain unchanged.
    2. DevA has created code that changes the HTTP_REFERER in the http header to www.WebsiteB.com/PageClickedOn.php with a redirect from WebsiteA to WebsiteB before going to WebsiteD. Still, after MemberA clicks on AdA, WebsiteD and TrackingServiceD save the referring URL as www.WebsiteA.com/PageClickedOn.php encrypted in CookieD and CookieT.

  2. #2
    Senior Member
    Join Date
    Nov 2007
    Location
    Phoenix, Arizona
    Posts
    102
    If i understand your questions and given scenario correctly it sounds like you are refering to "Cross Site Sripting", and yes its possible.

    http://en.wikipedia.org/wiki/Cross-site_scripting
    LOGIN: yes
    PASSWORD: I dont have one
    "Login Failed"

  3. #3
    Junior Member
    Join Date
    Apr 2008
    Posts
    1
    No what you are suggesting cannot be done.

    But your point 2 is the way I would go around it. Have the link of websiteA link to websiteB where it is then bounced to websiteD. It will work, it probably hasn't been implemented correctly.

Similar Threads

  1. Website Administration
    By jethro in forum The Security Tutorials Forum
    Replies: 4
    Last Post: August 9th, 2006, 10:13 AM
  2. Auditing the Physical Security of a Data Center
    By Spyrus in forum The Security Tutorials Forum
    Replies: 5
    Last Post: October 7th, 2005, 09:18 AM
  3. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 07:38 PM
  4. Securing Your Windows PC
    By E5C4P3 in forum The Security Tutorials Forum
    Replies: 10
    Last Post: June 12th, 2002, 04:54 PM
  5. Anonymoity Tutorial
    By ac1dsp3ctrum in forum The Security Tutorials Forum
    Replies: 8
    Last Post: February 13th, 2002, 11:36 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides