Frederik De Keukelaere <[EMAIL PROTECTED]> writes:
> Would you mind sharing the different data formats you came across for
> exchanging data in mashups/Web 2.0? Considering the challenges you
> recently discovered, it might be good to have such an overview to look at
> it from a security point of
Hi Brian, Hi Stefano,
> Ok I see the difference.
> You are taking advantage of a pure json CSRF with a evil script which
> contains a modified version of the Object prototype.
> And when the callback function is executed you use a XMLHttpRequest in
> order to send the information extracted by
Hi Brian,
Il giorno lun, 02/04/2007 alle 12.13 -0700, Brian Chess ha scritto:
> Hi Stefano,
>
> Yes, we are aware of your paper, but we intentionally chose to omit the
> reference because we are quite snobby. I'm joking!
:DD lol
> The difference between what you discuss and JavaScript Hijacking
; From: Stefano Di Paola <[EMAIL PROTECTED]>
> Date: Mon, 02 Apr 2007 11:11:24 +0200
> To: "sc-l@securecoding.org"
> Cc: Brian Chess <[EMAIL PROTECTED]>
> Subject: Re: [SC-L] JavaScript Hijacking
>
> Brian,
>
> i don't know if you read it but me and
Brian,
i don't know if you read it but me and Giorgio Fedon presented a paper
named "Subverting Ajax" at 23rd CCC Congress.
(4th section XSS Prototype Hijacking)
http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf
It described a technique called Prototype Hijacking,