Am 01.10.2008 um 16:23 schrieb Aristotle Pagaltzis:
* Moritz Onken <[EMAIL PROTECTED]> [2008-10-01 12:55]:
but this does still rely on the fact that there is no XSS issue
on your page, doesn't it?
So what? If your site has an XSS hole, it’s already game over.
The attacker can inject Javascript that passes the same-origin
policy blockade, so they can already do whatever the hell they
want.
I imagine a case where the attacker's site opens a iframe to
your site which exploits a XSS issue and can send the hole form
information back to the attacker's site. He has now the HMAC
and the random string.
Using an XSS hole to initiate a CSRF attack is like breaking in
through the window to steal the house keys so you can unlock the
front door. Attackers don’t build Rube Goldberg contraptions.
Regards,
Yeah you're right. Good point ;-)
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
