1

I am new to the ideas of secure connections through cookies/sessions so I am doing some research and I came across the SSL handshake. I understand that:

  1. browser sends an initial request to a server
  2. Server sends certificate (containing a public key n) to browser
  3. Browser chooses a random x (I don't know how this is done), and computes (x^65537 mod n), and sends this computed value back to the Server
  4. Server decrypts this computed value using their two private (usually prime) keys
  5. Server and client now have a "session key" which only the two parties know about. They now use this session key to encrypt all messages belonging to this session.

I found a question Here talking about where this SSL symmetric key (session key) is stored on the Server side.

On the client side however, I've tried opening the developers console and looking for it but I can't find it. This makes sense, obviously I shouldn't be able to easily find it. Where is this session key stored on the client side? Is it possible for my session key to be stolen during an XSS attack?

Community
  • 1
  • 1
Hen
  • 633
  • 1
  • 9
  • 21
  • Steps 3 and 4 are not correct. The key agreement protocol is defined in RC 2246 and successors and it is not as you describe here. There is an immense amount of BS on the Internet about this from other sources. Don't trust them. Don't even read them. – user207421 Mar 20 '17 at 01:18

1 Answers1

1

Browsers will store the session keys in memory.

They won't be retrievable in any XSS attack because they are not stored in the DOM.

It is also likely that any XSS attack won't need the session keys for their mayhem because such an attack can already access everything client-side it needs to, except for HttpOnly cookies.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • Cookies are also not stored in the DOM, yet they still appear in the browser when you open developers console... Would you kindly explain to me how an XSS attack can cause any mayhem when session information is protected within an HttpOnly cookie (shouldn't most, if not all, websites implement this practice by now)? – Hen Feb 25 '16 at 17:11
  • An example is that some malicious JavaScript could display a login form using exactly the same style as the host site and ask the user to log in. Once the username and password is entered, they will be sent client-side to the attacker. – SilverlightFox Feb 25 '16 at 22:48
  • this doesnt describe where in memory ? we actually want to know where session keys are stored and is there any way to see them ? – thatguy Aug 17 '21 at 15:59