Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XSS possible ?

I have been testing VPN connection to SFOS device. I have two access points, one on LAN side and the second on WAN side. I have connected VPN and logged to Admin Console then disconnected VPN and switched WiFi.

I was surprised that after refreshing browser - admin console still worked. Isn't it a change for someone to successfully make XSS attack on console if I can stay logged in even when my ip address changed ? Can anyone confirm that behavior?



This thread was automatically locked due to age.
Parents
  • That behaviour occurred in UTM 9, it's because the login is session based using a Cookie. You can see it in Google Chrome > Privacy > Content Settings > All Cookie & Site Data > Search for Cookie.

    Fairly certain these cookies are signed so shouldn't be that open to session hijacking as they are browser session based and the session is closed on browser close. It's not easy to replicate the browser identity and copy/steal a cookie and hijack the session.

Reply
  • That behaviour occurred in UTM 9, it's because the login is session based using a Cookie. You can see it in Google Chrome > Privacy > Content Settings > All Cookie & Site Data > Search for Cookie.

    Fairly certain these cookies are signed so shouldn't be that open to session hijacking as they are browser session based and the session is closed on browser close. It's not easy to replicate the browser identity and copy/steal a cookie and hijack the session.

Children
No Data