On Sun, Jun 7, 2009 at 4:18 PM, Mark S. Miller <[email protected]> wrote: > On Sun, Jun 7, 2009 at 3:54 PM, Adam Barth <[email protected]> wrote: >> >> GET really doesn't have anything to do with it. The attacker can >> issue POST requests (and really any other method) too. Note that the >> attacker can read the response and follow any links, etc. > > Recall that we were examining the GET hypothesis under the assumption that > POSTs were already protected by secret tokens against XSRFs.
Right, but once the attacker has XSSed site A, the attacker learns the secret token necessary to issue the next request in the chain to site A regardless of the method. Adam
