Hi, The main concern of that kind of non-persistant XSS attack is phishing. A security society that audited our code highlighted that problem. It is a minor security flaw, but it is still a security flaw. If there is no easy workaround, I will try to disable the services page on my webservices.
________________________________ De : "Rhenius, Karl Stefan [via CXF]" <[email protected]> À : sami <[email protected]> Envoyé le : Ven 25 février 2011, 9h 59min 47s Objet : RE: XSS flaw in Available SOAP services page Hi Glenn, there are persistent and non-persistent XSS attacks. http://en.wikipedia.org/wiki/Cross-site_scripting describes an exploit scenario for non-persisting XSS attacks. Karl > > But giving somebody a fraudulent link is not cross-site > scripting, and > browser certificate checks would catch that anyway. > > Only the service provider has control over the contents of the > https://www.mybank.com/services/BankingService?wsdl page, Bad > Guy has no > opportunities to enter in data that could alter that page, so I don't > see where the XSS concern is. ________________________________ If you reply to this email, your message will be added to the discussion below:http://cxf.547215.n5.nabble.com/XSS-flaw-in-Available-SOAP-services-page-tp3398847p3399776.html To unsubscribe from XSS flaw in Available SOAP services page, click here. -- View this message in context: http://cxf.547215.n5.nabble.com/XSS-flaw-in-Available-SOAP-services-page-tp3398847p3399794.html Sent from the cxf-user mailing list archive at Nabble.com.
