* On Wed, Oct 01 2008, Moritz Onken wrote: > I imagine a case where the attacker's site opens a iframe to your > site which exploits a XSS issue and can send the hole form > information back to the attacker's site. He has now the HMAC and > the random string.
I was under the impression that you could open an iframe to someone else's site and manipulate it from javascript running on your own site, without relying on any vulnerabilities on that site. Maybe not? Maybe flash can do this? (Why do we even have iframes? For serving ads?) Anyway, Template::Refine is a great module for adding stuff to forms, in the event that your form builder isn't already adding some sort of unique token. I actually use it to add the "name" field to all the inputs; at some point I will just "encrypt" these like Seaside and many other frameworks do. You can then validate these with an ActionClass. Regards, Jonathan Rockway -- print just => another => perl => hacker => if $,=$" _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
