* Moritz Onken <[EMAIL PROTECTED]> [2008-10-01 12:55]: > but this does still rely on the fact that there is no XSS issue > on your page, doesn't it?
So what? If your site has an XSS hole, it’s already game over. The attacker can inject Javascript that passes the same-origin policy blockade, so they can already do whatever the hell they want. > I imagine a case where the attacker's site opens a iframe to > your site which exploits a XSS issue and can send the hole form > information back to the attacker's site. He has now the HMAC > and the random string. Using an XSS hole to initiate a CSRF attack is like breaking in through the window to steal the house keys so you can unlock the front door. Attackers don’t build Rube Goldberg contraptions. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/> _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
